Yann Ylavic [Sat, 14 Oct 2017 16:27:14 +0000 (16:27 +0000)]
Follow up to r1740928: including NOT_IN_PROXY in NOT_IN_DIR_LOC_FILE is both
incomplete and not backportable, fix it by introducing NOT_IN_DIR_CONTEXT and
restoring NOT_IN_DIR_LOC_FILE to its previous value.
Per ap_check_cmd_context(), NOT_IN_DIR_LOC_FILE actually/really means "not in
any directory context", while the definition itself does not include all the
existing directory contexts (e.g. <Limit>, or <Proxy> before r1740928).
This is a bit of a misnomer, at least, so instead of (ab)using it by adding the
missing contexts (in an incompatible way), let's define NOT_IN_DIR_CONTEXT to
really exclude all directory context (i.e. NOT_IN_DIR_LOC_FILE + NOT_IN_LIMIT +
NOT_IN_PROXY) and use it wherever NOT_IN_DIR_LOC_FILE was used.
This is by itself a major MMN bump (modules not compiled with this commit and
having directives checked against NOT_IN_DIR_LOC_FILE won't be caught the same
way by NOT_IN_DIR_CONTEXT in the new ap_check_cmd_context() code), but with the
below change, 2.4.x should work as before:
- if ((forbidden & NOT_IN_DIR_CONTEXT) == NOT_IN_DIR_CONTEXT) {
+ if ((forbidden & NOT_IN_DIR_LOC_FILE) == NOT_IN_DIR_LOC_FILE) {
if (cmd->path != NULL) {
return apr_pstrcat(cmd->pool, cmd->cmd->name, gt,
- " cannot occur within directory context", NULL);
+ " cannot occur within <Directory/Location/Files/Proxy> "
+ "section", NULL);
}
...
}
Joe Orton [Thu, 12 Oct 2017 15:11:50 +0000 (15:11 +0000)]
Add optional _RAW suffix to SSL_*_DN_xx attribute names, allowing
users to convert an attribute value without conversion to UTF-8. (A
public CA has issued certs with attributes tagged as the wrong ASN.1
string types.)
* modules/ssl/ssl_util_ssl.c (asn1_string_convert): Rename from
asn1_string_to_utf8; add raw argument. Reimplement _to_utf8 as
macro.
(modssl_X509_NAME_ENTRY_to_string): Add raw argument.
* modules/ssl/ssl_engine_vars.c (ssl_var_lookup_ssl_cert_dn): Use raw
string conversion if _RAW suffix is present in DN component.
Joe Orton [Wed, 11 Oct 2017 14:48:55 +0000 (14:48 +0000)]
* server/util_script.c (ap_add_common_vars): Allow mod_env to override
all system path environment variables, not just PATH. (The
behaviour for PATH alone was changed in r965679 for PR 43906.)
Luca Toscano [Tue, 10 Oct 2017 17:41:37 +0000 (17:41 +0000)]
core, mod_rewrite: introduce the 'redirect-keeps-vary' note
to allow proper Vary header insertion when
dealing with a RewriteRule in a directory
context.
This change is an attempt to fix a long standing problem,
brought up while working on PR 58231. Our documentation clearly
states the following:
"If a HTTP header is used in a condition this header is added
to the Vary header of the response in case the condition
evaluates to true for the request."
This is currently not true for RewriteCond/Rules working in
a directory context, since when an internal redirect happens
all the outstanding response headers get dropped.
There might be a better solution so I am looking forward to
hear more opinions and comments. My goal for a delicate change
like this one would be to affect the least amount of configurations
possible, without triggering unwanted side effects.
If the solution is good for everybody tests will be written
in the suite asap.
Yann Ylavic [Tue, 10 Oct 2017 10:54:48 +0000 (10:54 +0000)]
ab: Make the TLS layer aware that the underlying socket is nonblocking,
and use/handle POLLOUT where needed to avoid busy IOs and recover write
errors when appropriate.
Yann Ylavic [Tue, 10 Oct 2017 09:09:22 +0000 (09:09 +0000)]
ab: Keep reading nonblocking to exhaust TCP or SSL buffers when previous
read was incomplete (the SSL case can cause the next poll() to timeout
since data are buffered already). PR 61301
Ruediger Pluem [Mon, 9 Oct 2017 13:30:26 +0000 (13:30 +0000)]
* The calculation of the sizes was flawed:
The index tells us the size of the node in 4096 byte pages minus 1.
Hence we need to multiply back with 4096 aka << 12 (plus adding the
missing page).
Ruediger Pluem [Thu, 5 Oct 2017 12:01:25 +0000 (12:01 +0000)]
* Add dump_all_pools and dump_pool_and_childs.
- dump_all_pools: Dump the whole pool hierarchy starting from apr_global_pool.
Requires an arbitrary pool as starting parameter.
- dump_pool_and_childs: Dump the whole pool hierarchy starting from
the given pool.
dump_pool_and_childs is written in Python using the GDB Python API
as doing recursive stuff in standard GDB macros is very difficult.
Yann Ylavic [Mon, 2 Oct 2017 21:57:26 +0000 (21:57 +0000)]
ap_expr: open string expressions to the <word>.
Introduces the syntax "%{:<word>:}", borrowed from the <var>'s one, and which
likewise can be embedded anywhere in a string expression (the same reserved
character ':' gets reused in an unambiguous manner).
This allows the two types of expressions (boolean and string) to now share
fully the same language set, namely: strings, lists, vars, regexes, backrefs,
functions with multiple or complex arguments, and especially combinations
thereof.
Most of them were reserved to boolean expressions only, while complex string
constructions can also benefit to, well, strings. The <word> construct allows
that (say the syntax "%{:<word>:}" looks like a temporary variable constructed
in a string).
Since string expressions may now have to deal with lists (arrays), they also
need a way to produce/extract strings from list and vice versa. This can be
done with the new "join" and "split" operators, while the new substitution
regexes (like "s/<pattern>/<substitute>/<flags>") may be used to manipulate
strings in place. All this of course available for both string and boolean
expressions.
Deregister all hooks first (in pre_cleanup), by doing it last we could still
have had them run when DSOs were unloaded.
Likewise, avoid double faults when handling fatal signals by restoring the
default handler before pconf is cleared (we can't ap_log_error there).
Finally, we need to ignore sig_term/restart (do nothing) when the main
process is exiting (i.e. ap_pglobal is destroyed), since retained_data are
freed.
Stefan Eissing [Tue, 26 Sep 2017 08:33:35 +0000 (08:33 +0000)]
On the trunk:
mod_md: v0.9.7
- Use of the new module flag
- Removed obsolete function from interface to mod_ssl.
- Fallback certificates has version set and no longer claims to be a CA. (re issue #32)
- MDRequireHttps now happens before any Redirect.
Stefan Eissing [Wed, 20 Sep 2017 14:41:25 +0000 (14:41 +0000)]
On the trunk:
mod_ssl: unshare SSLSrvConfigRec instances between base server and virtual hosts. This avoids
overwrites of later initializattions (vhost_id), selective disables by "SSLEngine addr-list"
and certificate/key pickup from mod_md.
This is a follow up of r1808746 after a chat
with Yann on dev@:
- the HTTP:Host variable suffers from the same problem
- the strcasecmp should be used to allow case-sensitive
comparisons.
- in mod_rewrite is less cumbersome and more clean to just
make the Host header check in lookup_header, so it will
be automatically picked up by every part of the code
that uses it. It shouldn't be a relevant overhead for
mod_rewrite.
In PR 58231 is was brought up that httpd adds the
Vary: Host header whenever a condition is set to true
in mod_rewrite or in an <If> block.
The https://tools.ietf.org/html/rfc7231#section-7.1.4
section seems to disallow this use case:
"The "Vary" header field in a response describes "
"what parts of a request message, "
"aside from the method, Host header field, [...]"
I had a chat with the folks in #traffic-server and
they don't see much point in having a Vary: Host header,
plus it was reported that Varnish doesn't like it very
much (namely it does not cache the response when
it sees the header, links of the report in the PR).
I don't see much value in this behavior of httpd so
I am inclined to remove this response header value,
but I'd be glad to get a more experienced opinion.
Stefan Eissing [Thu, 14 Sep 2017 13:01:29 +0000 (13:01 +0000)]
On the trunk:
mod_ssl: adding ssl_policies.h[.in] for policy cipher/protocol definitions. Use
update_policies.py to update manually from Mozilla JSON definitions at
https://statics.tls.security.mozilla.org/server-side-tls-conf.json
Stefan Eissing [Wed, 13 Sep 2017 14:16:49 +0000 (14:16 +0000)]
On the trunk:
mod_md: v0.9.5:
- New directive (srly: what do you expect at this point?) "MDMustStaple on|off" to control if
new certificates are requested with the OCSP Must Staple extension.
- Known limitation: when the server is configured to ditch and restart child processes, for example
after a certain number of connections/requests, the mod_md watchdog instance might migrate
to a new child process. Since not all its state is persisted, some messsages might appear a
second time in the logs.
- Adding checks when 'MDRequireHttps' is used. It is considered an error when 'MDPortMap 443:-'
is used - which negates that a https: port exists. Also, a warning is logged if no
VirtualHost can be found for a Managed Domain that has port 443 (or the mapped one) in
its address list.
- New directive 'MDRequireHttps' for redirecting http: traffic to a Managed Domain, permanently
or temporarily.
- Fix for using a fallback certificate on initial signup of a Managed Domain. Requires also
a changed mod_ssl patch (v5) to take effect.
- compatibility with libressl
Joe Orton [Wed, 13 Sep 2017 10:59:51 +0000 (10:59 +0000)]
* server/protocol.c (ap_content_length_filter): Rewrite the content
length filter to avoid arbitrary memory consumption for streaming
responses (e.g. large CGI script output). Ensures C-L is still
generated in common cases (static content, small CGI script output),
but this DOES change behaviour and some responses will end up
chunked rather than C-L computed.
docs: update the prettify.js files with new directives
Procedure that I've used:
1) Copy https://httpd.apache.org/docs/trunk/mod/directives.html
to a text file.
2) Generate a csv with something like
cat /tmp/trunk_directives | sort | tr "\n" ","
3) Replace the content of CONFIG_KEYWORDS in prettify.js
with the list generated in 2)
4) Run the command the MINIFY command to generate prettify.min.js
This commit should hopefully allow a better syntax highlighting
in our docs examples.
projects / apache / log