Stefan Eissing [Tue, 5 Sep 2017 13:10:11 +0000 (13:10 +0000)]
On the trunk:
*) mod_md: v0.9.1:
- various fixes in MDRenewWindow handling when specifying percent. Serialization changed. If
someone already used percent configurations, it is advised to change these to a new value,
reload and change back to the wanted ones.
- various fixes in handling of MDPrivateKeys when specifying 2048 bits (the default) explicitly.
- mod_md version removed from top level md_store.json file. The store has its own format version
to facilitate upgrades.
Stefan Eissing [Mon, 4 Sep 2017 15:10:59 +0000 (15:10 +0000)]
On the trunk:
*) mod_http2: DoS flow control protection is less agressive as long as active tasks stay
below worker capacity. Intended to fix problems with media streaming.
Stefan Eissing [Mon, 4 Sep 2017 14:07:29 +0000 (14:07 +0000)]
On the trunk:
mod_md:
* Improved interface to mod_ssl for fallback handling. Backward compatible to previous mod_ssl
patch, but fallbacks will not work.
* Provide a temporary, self-signed certificate with a speaking command and domain name if we
have no other cert for a Managed Domain, yet. Refs github issue #32
* Continue to provide expired or not-completely matching, existing certificate for a Managed
Domain until the renewal was successful. This is helpful when one adds a DNS name to
a MD, so the previous domains can be served while a new cert is requested.
* All files necessary to run tests are not in the release package.
* Making "http-01" the preferred challenge type again, as people "tls-sni-01" requires at least
one working certificate vhost right now - which not everyone has.
* moved part of the MD sanity checks from post_config to check_config phase, allowing for error
detection in check-only runs.
Luca Toscano [Mon, 28 Aug 2017 12:34:58 +0000 (12:34 +0000)]
synopsis.xsl: fix broken translation builds
This commit is a follow up of r1805189, in which
a new logic was added to allow to repeat a directive
name only if its type is different (like SSLPolicy
and <SSLPolicy>). The change broken french translations
since the $this variable, containing the translated
sections, was not used anymore.
The XPath code could surely be improved, but it seems
more pressing to allow our translators to get back
to their daily work without interference.
build.sh validate-* worked fine, as well as the build.sh fr
translation.
Fix a compilation warning introduced by r1802040.
mod_proxy_fcgi.c:893:19: warning: ‘flushpoll’ may be used uninitialized in this function [-Wmaybe-uninitialized]
Luca Toscano [Fri, 18 Aug 2017 08:21:43 +0000 (08:21 +0000)]
doc xsl/dtd: introduce idtype attribute for directivesynopsis
In r1805193 synopsis.xsl was changed to allow two directives
of different type (like <SSLPolicy> and SSLPolicy) to share
the same name but have different ids (and please validate-xml/xhtml).
The downside of this action was that all the quicklinks to
existing directive sections (like <If>, <VirtualHost>, etc..)
were changed, possibly breaking external clients already
referencing them.
This change introduces a new attribute in the directivesynopsis
DTD, namely 'idtype', that will be appended to 'name'
in the id generation by synopsis.xsl. This will rollback
link names to their previous values and will allow documentators
to fine tune directivesynopsis sections as they need
(for example we have recently introduced mod_md's
ManagedDomain/<ManagedDomain>, and modssl's SSLPolicy/<SSLPolicy>).
This approach seems more precise and less invasive to me.
Of course the name of the attribute can be changed later on
to whatever term would fit best, the main concern for me at
the moment is to restore the trunk documentation to its previous
state.
Stefan Eissing [Thu, 17 Aug 2017 14:34:44 +0000 (14:34 +0000)]
On the trunk:
mod_md v0.7.0:
- LIVE: the real Let's Encrypt CA is now live by default! If you need to experiment, configure
MDCertificateAuthority https://acme-staging.api.letsencrypt.org/directory
- When existing, complete certificates are renewed, the activation of the new ones is
delayed by 24 hours (or until the existing ones expire, whatever is earler) to accomodate
for clients with weird clocks, refs #1.
- Fixed store sync when MDCAChallenges was removed again from an MD.
- Fixed crash when MD matched the base server, fixes #23
- Fixed watchgod resetting staging when server processes disappeared (e.g. reached
max requests or other limits).
Luca Toscano [Wed, 16 Aug 2017 13:40:12 +0000 (13:40 +0000)]
common|synopsis.xsl: rename directive type=sections id generation
This commits is a follow up of r1805189 and it is meant
to allow directives with the same name but different type
to coexist in the same document without triggering errors
while executing validate-xhtml.
For example: mod_md.xml recently introduced the following:
* ManagedDomain
* <ManagedDomain> (this one is type=section)
In my opinion this is a perfectly valid use case and it should
be allowed/handled correctly by the doc generation process/validation.
In order to avoid clashing the directive ids will get a suffix
called "section" if type=section will be present as param.
Quicklinks, <directive> links have been updated to the new
scheme to avoid dandling pointers in the doc.
Comments/reviews are welcome, if I left something behind
please let me know.
Luca Toscano [Wed, 16 Aug 2017 13:04:55 +0000 (13:04 +0000)]
synopsis.xsl: do not render two times the same
directive HTML if more than one
directive share the same name.
This has happened when mod_md.xml was introduced,
and the following directives shared the same name:
* ManagedDomain
* <ManagedDomain>
With the current code each time that a node needs
to be rendered it will emit a duplicate, ending up
in the above example with 4 sections rather than two.
Uniqueness of sections will be ensured by the HTML
elements ids, to avoid errors before committing for
example (accidental duplicates, etc..).
Stefan Eissing [Wed, 16 Aug 2017 12:43:41 +0000 (12:43 +0000)]
On the trunk:
mod_ssl: not using SSLV3 constant that would define what we mean by SSL version 3 if openssl does not know about SSL version 3. Then we pretend to not know about it either.
I have recently got some basic mod-proxy concepts
and these simple info would have helped me a lot:
- connection pooling == reuse. My brain did not pick
up this simple nomenclature at first read for some
reason, probably because we have parameters called
"*reuse*" and not "*pooling*". I find the term
"reuse" clearer than "pooling", but this is
debatable :)
- the concept of "Worker" needs to be read before
the ProxyPass section (that people probably read
directly after checking a search engine) to fully
understand its power.
- the fact that a worker is related to a single process
(and not shared as a Balancer) is a really important
concept that I tried to highlight when talking
about maxconns (question popped up a lot of times
from users).
Hope that my understanding is correct, feedback is welcome.
event: Avoid possible blocking in the listener thread when shutting down
connections. PR 60956.
start_lingering_close_nonblocking() now puts connections in defer_linger_chain
which is emptied by any worker thread (all atomically) after its usual work,
hence any possibly blocking flush and lingering close run outside the listener.
The listener may create a dedicated worker if it fills defer_linger_chain or
while it's not empty, calling push2worker with a NULL cs.
The state machine in process_socket() is slighly modified to be able to enter
with CONN_STATE_LINGER directly w/o clogging_input_filters to interfer.
New abort_socket_nonblocking() allows to reset connections when nonblocking is
required and we can't do much about the connection anymore, nor we want the
system to linger on its own after close().
Many thanks to Stefan Priebe for his heavy testing on many event's changes!
projects / apache / log