Stefan Eissing [Mon, 3 Mar 2025 12:32:31 +0000 (12:32 +0000)]
*) mod_md: update to version 2.0.30
- Fixed bug in handling over long response headers. When the 64 KB limit
of nghttp2 was exceeded, the request was not reset and the client was
left hanging, waiting for it. Now the stream is reset.
- Added new directive `H2MaxHeaderBlockLen` to set the limit on response
header sizes.
- Fixed handling of Timeout vs. KeepAliveTimeout when first request on a
connection was reset.
Joe Orton [Fri, 14 Feb 2025 16:08:23 +0000 (16:08 +0000)]
mod_dav: Fix error handling for dav_fs_dir_file_name():
dav_fs_dir_file_name() will not set *fname_p to NULL on failure,
and all callers of dav_fs_dir_file_name() does not check the
return value of dav_fs_dir_file_name(), which could lead to an
undefined behavior against fname_p.
Fix this by adding return value check of dav_fs_dir_file_name()
Joe Orton [Mon, 20 Jan 2025 17:01:17 +0000 (17:01 +0000)]
CI: Add 64-bit ARM job to Linux workflow. See:
https://github.blog/changelog/2025-01-16-linux-arm64-hosted-runners-now-available-for-free-in-public-repositories-public-preview/
Stefan Eissing [Fri, 17 Jan 2025 16:12:28 +0000 (16:12 +0000)]
*) mod_http2: make test_h2_200_17+18 work reliably with
older and newer curl versions. Only a change in logging,
no function module change.
Newer curl send a GOAWAY on connection shutdown which
triggers another code path that the test did not expect.
Thanks to Rainer Jung for tracking this down.
Stefan Eissing [Wed, 15 Jan 2025 12:48:52 +0000 (12:48 +0000)]
*) mod_md: update to version 2.4.31
- Improved error reporting when waiting for ACME server to verify domains
or finalizing the order fails, e.g. times out.
- Increasing the timeouts to wait for ACME server to verify domain names
and issue the certificate from 30 seconds to 5 minutes.
- Change a log level from error to debug when Stapling is enabled but a
certificate carries no OCSP responder URL.
Ruediger Pluem [Mon, 13 Jan 2025 13:37:40 +0000 (13:37 +0000)]
* Do not add a space before '|' when setting the value for stickysession in the
balancer manager as this breaks the stickysession configuration once a new
configuration is submitted by the balancer manager.
Joe Orton [Wed, 8 Jan 2025 18:00:29 +0000 (18:00 +0000)]
* modules/generators/mod_autoindex.c (dsortf): Ensure the function
is transitive to avoid undefined behaviour, per:
https://www.qualys.com/2024/01/30/qsort.txt
Joe Orton [Tue, 10 Dec 2024 17:20:36 +0000 (17:20 +0000)]
CI: Switch down to GCC 12, the ubuntu-latest image is not consistently
an Ubuntu 24.04 environment yet, this version should be available in
both the -22.04 and -24.04 images.
Stefan Eissing [Tue, 3 Dec 2024 09:47:26 +0000 (09:47 +0000)]
*) mod_md: update to version 2.4.29
- Fixed HTTP-01 challenges to not carry a final newline, as some ACME
server fail to ignore it. [Michael Kaufmann (@mkauf)]
- Fixed missing label+newline in server-status plain text output when
MDStapling is enabled.
Eric Covener [Sun, 1 Dec 2024 14:16:42 +0000 (14:16 +0000)]
Don't use AuthFormLoginRequiredLocation in inline
Intro to inline says:
If a non-authenticated user attempts to access a page protected by
mod_auth_form that isn't configured with a AuthFormLoginRequiredLocation
directive, a HTTP_UNAUTHORIZED status code is returned to the browser
indicating to the user that they are not authorized to view the page.
The entire point seems to be to keep the URL the same by using an internal redirect
via ErrorDocument, and AuthFormLoginRequiredLocation conflicts with it.
Submitted By: Rishikeshan Lavakumar/Sulochana <oss AT @rishikeshan.com>
Joe Orton [Wed, 20 Nov 2024 10:23:03 +0000 (10:23 +0000)]
* modules/aaa/mod_authnz_ldap.c (create_authnz_ldap_dir_config): Fix allocation
of sgAttributes, found by gcc -fanalyzer:
modules/aaa/mod_authnz_ldap.c: scope_hint: In function 'create_authnz_ldap_dir_config'
modules/aaa/mod_authnz_ldap.c:356:23: warning[-Wanalyzer-allocation-size]: allocated buffer size is not a multiple of the pointee's size
Yann Ylavic [Wed, 16 Oct 2024 14:11:41 +0000 (14:11 +0000)]
mod_ssl: Revert r1868929 on trunk (only).
We discussed in 2019 that after 2.4.x's backport r1873907 we should apply
normal/usual merging for SSLProtocol in next versions (thus trunk first).
See: https://lists.apache.org/thread/76yh7j3fwj2tsmffsqcqpv4mcfph5vqx
Joe Orton [Mon, 14 Oct 2024 16:09:50 +0000 (16:09 +0000)]
CI: Use the image version in the cache keys. This is likely a simpler
and more robust fix for the issues with Perl XS builds being cached.
Root cause was likely "ubuntu-latest" changing from 22.04 to 24.04.
Cache keys will now change when that happens again, preventing reuse
of cached builds across OS versions.
Joe Orton [Fri, 11 Oct 2024 16:20:44 +0000 (16:20 +0000)]
mod_lua: Make r.ap_auth_type writable
This completes the option of setting the remote user by the authentication
mechanism which actually verified the user.
One possible usecase is that a proxied (upstream) server performs the
authentication, but the access log of HTTPd does not contain this information.
The upstream server can pass this kind of information back to HTTPd and both
servers will have consistent access logs.
Joe Orton [Fri, 11 Oct 2024 07:32:05 +0000 (07:32 +0000)]
* modules/http/http_filters.c (parse_chunk_size):
Update comment after some investigation of a Squid interoperability
issue handling BWS after chunk-size, which httpd allows although
it is not permitted by RFC 7230 or RFC 9112. [skip ci]
Joe Orton [Tue, 1 Oct 2024 16:09:11 +0000 (16:09 +0000)]
mod_ssl: Add SSLClientHelloVars directive which exposes various
ClientHello properties in new SSL_CLIENTHELLO_* variables.
* modules/ssl/ssl_engine_kernel.c (ssl_hook_Fixup_vars): Add
SSL_CLIENTHELLO_* vars.
(copy_clienthello_vars): New function.
(ssl_callback_ClientHello): Call it when needed.
* modules/ssl/ssl_engine_vars.c (ssl_var_lookup_ssl_clienthello): New
function.
(ssl_var_lookup_ssl): Call it for SSL_CLIENTHELLO_*.
Stefan Eissing [Tue, 1 Oct 2024 10:36:42 +0000 (10:36 +0000)]
*) mod_http2:
h2_mplx: fix debug check when stream was not found
A "this should never happen" check logic was wrong when looking
*why* a stream that SHOULD be there was not. The loop did not
properly match streams in "purge" state.
The log warning issued has never been reported, so this code
seems to never actually do anything. Still fix the logic to
do what it is intended to.
Stefan Eissing [Tue, 17 Sep 2024 11:38:19 +0000 (11:38 +0000)]
*) mod_md: update to version 2.4.28
- When the server starts, it looks for new, staged certificates to
activate. If the staged set of files in 'md/staging/<domain>' is messed
up, this could prevent further renewals to happen. Now, when the staging
set is present, but could not be activated due to an error, purge the
whole directory. [icing]
- Fix certificate retrieval on ACME renewal to not require a 'Location:'
header returned by the ACME CA. This was the way it was done in ACME
before it became an IETF standard. Let's Encrypt still supports this,
but other CAs do not. [icing]
- Restore compatibility with OpenSSL < 1.1. [ylavic]
Joe Orton [Thu, 12 Sep 2024 16:04:39 +0000 (16:04 +0000)]
mod_ssl: Fix regression in r1914365 preventing pkcs11: key/cert lookup
via the ENGINE API without SSLCryptoDevice configured.
* modules/ssl/ssl_engine_pphrase.c
(modssl_load_keypair_engine): Return APR_ENOTIMPL if the ENGINE
could not be loaded for the key.
(modssl_load_engine_keypair): Always try loading via ENGINE
(as prior to r1914365) but fall back to the STORE API for
the new APR_ENOTIMPL case.
Joe Orton [Thu, 12 Sep 2024 07:59:22 +0000 (07:59 +0000)]
Add Multipath TCP (MPTCP) support (Proxy)
Multipath TCP (MPTCP), standardized in RFC8684 [1],
is a TCP extension that enables a TCP connection to
use different paths.
Multipath TCP has been used for several use cases.
On smartphones, MPTCP enables seamless handovers between
cellular and Wi-Fi networks while preserving established
connections. This use-case is what pushed Apple to use
MPTCP since 2013 in multiple applications [2]. On dual-stack
hosts, Multipath TCP enables the TCP connection to
automatically use the best performing path, either IPv4
or IPv6. If one path fails, MPTCP automatically uses
the other path.
To benefit from MPTCP, both the client and the server
have to support it. Multipath TCP is a backward-compatible
TCP extension that is enabled by default on recent
Linux distributions (Debian, Ubuntu, Redhat, ...). Multipath
TCP is included in the Linux kernel since version 5.6 [3].
To use it on Linux, an application must explicitly enable
it when creating the socket. No need to change anything
else in the application.
Adding the possibility to create MPTCP sockets would thus
be a really fine addition to httpd, by allowing clients
to make use of their different interfaces.
This patch introduces the possibilty to connect to backend
servers using MPTCP. Note however that these changes are
only available on Linux, as IPPROTO_MPTCP is Linux specific
for the time being.
For proxies, we can connect using MPTCP by passing the
\"multipathtcp\" parameter:
Multipath TCP (MPTCP), standardized in RFC8684 [1],
is a TCP extension that enables a TCP connection to
use different paths.
Multipath TCP has been used for several use cases.
On smartphones, MPTCP enables seamless handovers between
cellular and Wi-Fi networks while preserving established
connections. This use-case is what pushed Apple to use
MPTCP since 2013 in multiple applications [2]. On dual-stack
hosts, Multipath TCP enables the TCP connection to
automatically use the best performing path, either IPv4
or IPv6. If one path fails, MPTCP automatically uses
the other path.
To benefit from MPTCP, both the client and the server
have to support it. Multipath TCP is a backward-compatible
TCP extension that is enabled by default on recent
Linux distributions (Debian, Ubuntu, Redhat, ...). Multipath
TCP is included in the Linux kernel since version 5.6 [3].
To use it on Linux, an application must explicitly enable
it when creating the socket. No need to change anything
else in the application.
Adding the possibility to create MPTCP sockets would thus
be a really fine addition to httpd, by allowing clients
to make use of their different interfaces.
This patch introduces the possibility to listen with MPTCP
sockets. Note however that these changes are only available
on Linux, as IPPROTO_MPTCP is Linux specific for the time being.
To do so, we extended the Listen directive to include
a \"multipathtcp\" option, allowing to create MPTCP sockets
instead of regular TCP ones:
Listen 80 options=multipathtcp
We then store this information in flags for the listen directive
and create sockets appropriately according to this value.
* Leave the proper escaping of the URL and the adding of r->args to the
proxy module which runs after us after r1920570.
Just take care to add r->args in case the proxy rule has the
[NE] flag set and tell the proxy module to not escape in this case.
mod_rewrite, mod_proxy: mod_proxy to cononicalize rewritten [P] URLs. PR 69235.
When mod_rewrite sets a "proxy:" URL with [P], it should be canonicalized by
mod_proxy still, notably to handle any "unix:" local socket part.
To avoid double encoding in perdir context, a follow up commit should remove the
ap_escape_uri() done in mod_rewrite since it's now on mod_proxy to canonicalize,
per PR 69260.
projects / thirdparty / apache / httpd.git / log
