Stefan Eissing [Thu, 25 Aug 2022 14:00:13 +0000 (14:00 +0000)]
mod_md v2.4.19 from github sync
*) mod_md: a new directive `MDStoreLocks` can be used on cluster
setups with a shared file system for `MDStoreDir` to order
activation of renewed certificates when several cluster nodes are
restarted at the same time. Store locks are not enabled by default.
Restored curl_easy cleanup behaviour from v2.4.14 and refactored
the use of curl_multi for OCSP requests to work with that.
Fixes <https://github.com/icing/mod_md/issues/293>.
Stefan Eissing [Mon, 1 Aug 2022 12:56:11 +0000 (12:56 +0000)]
*) mod_ssl: when a proxy connection had handled a request using SSL, an
error was logged when "SSLProxyEngine" was only configured in the
location/proxy section and not the overall server. The connection
continued to work, the error log was in error. Fixed PR66190.
core: Follow up to r1902728: pools may have no allocator with APR_POOL_DEBUG.
With APR <= 1.7 and APR_POOL_DEBUG, thread's pools don't necessarily have an
allocator, so avoid apr_allocator_max_free_set(NULL) in ap_thread_create() and
ap_thread_main_create().
Also, always create an allocator in ap_thread_current_create().
util_pcre: Restore nmatch < ncaps behaviour with PCRE1 (only).
When the requested nmatch is below the number of captures for the regex (i.e.
nmatch is zero if the user does not care about the captures), with PCRE1 we can
pass a smaller ovector to pcre_exec() (or even NULL) which allows for somes
optimizations (less or even no recursion) internally in pcre.
This might avoid crashes due to stack usage/exhaustion with pathological
patterns (see BZ 66119).
util_pcre: Add a thread local subpool cache for when stack does not suffice.
When AP_HAS_THREAD_LOCAL is available, use a thread-local match_thread_state to
save per-thread data in a subpool of the thread's pool.
If private_malloc() gets out of the stack buffer and the current thread has a
pool (i.e. ap_thread_current() != NULL), it will apr_palloc()ate and return
memory from the subpool.
When the match is complete and the match_data are freed, the thread subpool is
cleared thus giving back the memory to the allocator, which itself will give
back the memory or recycle it depending on its max_free setting.
* util_pcre.c:
Restore POSIX_MALLOC_THRESHOLDsince this is part of the user API.
* util_pcre.c(match_data_pt):
Type not used (explicitely) anymore, axe.
* util_pcre.c(struct match_data_state):
Put the stack buffer there to simplify code (the state is allocated on
stack anyway).
If APREG_USE_THREAD_LOCAL, add the apr_thread_t* and match_thread_state*
fields that track the thread local data for the match.
* util_pcre.c(alloc_match_data, free_match):
Renamed to setup_state() and cleanup_state(), simplified (no stack buffer
parameters anymore).
cleanup_state() now clears the thread local subpool if used during the match.
setup_state() set state->thd to ap_thread_current(), thus NULL if it's not a
suitable thread for using thread local data.
* util_pcre.c(private_malloc):
Fix a possible buf_used overflow (size <= avail < APR_ALIGN_DEFAULT(size)).
Create the thread local subpool (once per thread) and allocate from there
when stack space is missing and state->thd != NULL, otherwise fall back to
malloc() still.
* util_pcre.c(private_free):
Do nothing for thread local subpool memory, will be freed in cleanup_state
eventually.
core: Apply ap_max_mem_free to created threads' pool allocator.
Since APR does not set the threshold above which the allocator of the thread's
starts returning its memory to the system, so set ap_max_mem_free from
ap_thread_create(), ap_thread_main_create() and ap_thread_current_create().
* include/httpd.h:
Provide our own ap_thread_create() in any case (but !APR_HAS_THREADS).
Simplify #ifdef-ery.
* server/util.c(thread_start, ap_thread_main_create, ap_thread_current_create):
Set ap_max_mem_free to the thread's pool allocator.
Simplify #ifdef-ery.
Stefan Eissing [Sat, 2 Jul 2022 09:39:22 +0000 (09:39 +0000)]
*) mod_http2: fixed trailer handling. Empty response bodies
prevented trailers from being sent to a client. See
<https://github.com/icing/mod_h2/issues/233> for how
this affected gRPC use.
Stefan Eissing [Sat, 2 Jul 2022 09:11:31 +0000 (09:11 +0000)]
*) test/modules/http2: adding tests for response trailers with
or without a body. This reproduces a bug reported in
<https://github.com/icing/mod_h2/issues/233>
where trailers are not sent on an empty response
body. This is used in gRPC.
Stefan Eissing [Fri, 17 Jun 2022 09:24:57 +0000 (09:24 +0000)]
*) mod_http2: new implementation of h2 worker pool.
- O(1) cost at registration of connection processing producers
- no limit on registered producers
- join of ongoing work on unregister
- callbacks to unlink dependencies into other h2 code
- memory cleanup on workers deactivation (on idle timeouts)
- idle_limit as apr_time_t instead of seconds
Eric Covener [Sat, 4 Jun 2022 15:37:33 +0000 (15:37 +0000)]
-qinitauto=FE conflicts with -qcheck=unset
maintainer mode only
causes a warning for every compiler invocation. If automatics are initialized
by -qinitauto, use before being assigned cannot be detected with -qcheck=unset
(part of all)
Yann Ylavic [Wed, 1 Jun 2022 09:56:43 +0000 (09:56 +0000)]
mod_proxy: Let fixup hooks know about the Host header (and eventually overwrite it).
If proxy_run_fixups() sets a Host header there will be two ones sent to the
origin server.
Instead, let the hooks know about the Host by setting it in the r->headers_in
passed to proxy_run_fixups(), and use the actual value afterwards.
Note: if proxy_run_fixups() unsets the Host we'll keep ours.
Yann Ylavic [Tue, 31 May 2022 23:01:24 +0000 (23:01 +0000)]
mod_ssl: SSLFIPS compatible with OpenSSL 3.0. PR 66063.
* modules/ssl/ssl_private.h():
#define modssl_fips_is_enabled() and modssl_fips_enable() to wrap the
native OpenSSL FIPS functions available on OPENSSL_VERSION_NUMBER.
* modules/ssl/ssl_engine_init.c(ssl_init_Module, modssl_fips_cleanup):
Use the new wrappers instead of the OPENSSL_VERSION_NUMBER < 3.0 functions.
Submitted by: Petr Sumbera <petr.sumbera oracle.com>, ylavic
Yann Ylavic [Tue, 31 May 2022 15:06:13 +0000 (15:06 +0000)]
mod_proxy: Align ap_proxy_create_hdrbrgd() with 2.4.x's.
In 2.4.x, the copy of r->headers_in is left in r->headers_in for the whole
function, while the original r->headers_in are restored at the end. This
is simpler and avoids the r->headers_in <=> saved_headers_in danse when
calling a function that modifies r->headers_in in place.
Yann Ylavic [Mon, 30 May 2022 15:54:34 +0000 (15:54 +0000)]
mod_proxy_http: Avoid 417 responses for non forwardable 100-continue. PR 65666.
Stop returning 417 when mod_proxy has to forward an HTTP/1.1 request with both
"Expect: 100-continue" and "force-proxy-request-1.0" set, mod_proxy can instead
handle the 100-continue by itself before forwarding the request, like in the
"Proxy100Continue Off" case.
Note that this does not change the behaviour of httpd receiving an HTTP/1.0
request with an Expect header, ap_check_request_header() will still correctly
return 417 in this case.
Stefan Eissing [Thu, 26 May 2022 08:43:13 +0000 (08:43 +0000)]
Merge of PR 318:
*) core: the conf/mime.types has been updated in conformance with RFC 9239:
- .js moved from 'application/javascript' to 'text/javascript'
- .mjs was added as 'text/javascript'
[Mathias Bynens <@mathiasbynens> via PR 318]
Stefan Eissing [Wed, 25 May 2022 11:32:52 +0000 (11:32 +0000)]
*) mod_md: a logic bug in sending long OCSP HTTP request bodies was fixed.
This did not happen in normal use as request sizes for OSCP queries
never exceed that length.
Ruediger Pluem [Fri, 20 May 2022 15:15:24 +0000 (15:15 +0000)]
* Port r546128 to mod_proxy_connect to ensure that core_pre_connection does not
succeed in resetting the timeout of our socket to base_server->timeout.
Stefan Eissing [Fri, 13 May 2022 11:03:51 +0000 (11:03 +0000)]
*) mod_md: the `MDCertificateAuthority` directive can take more than one URL/name of
an ACME CA. This gives a failover for renewals when several consecutive attempts
to get a certificate failed.
A new directive was added: `MDRetryDelay` sets the delay of retries.
A new directive was added: `MDRetryFailover` sets the number of errored
attempts before an alternate CA is selected for certificate renewals.
projects / thirdparty / apache / httpd.git / log
