Stefan Eissing [Wed, 20 Sep 2017 14:41:25 +0000 (14:41 +0000)]
On the trunk:
mod_ssl: unshare SSLSrvConfigRec instances between base server and virtual hosts. This avoids
overwrites of later initializattions (vhost_id), selective disables by "SSLEngine addr-list"
and certificate/key pickup from mod_md.
This is a follow up of r1808746 after a chat
with Yann on dev@:
- the HTTP:Host variable suffers from the same problem
- the strcasecmp should be used to allow case-sensitive
comparisons.
- in mod_rewrite is less cumbersome and more clean to just
make the Host header check in lookup_header, so it will
be automatically picked up by every part of the code
that uses it. It shouldn't be a relevant overhead for
mod_rewrite.
In PR 58231 is was brought up that httpd adds the
Vary: Host header whenever a condition is set to true
in mod_rewrite or in an <If> block.
The https://tools.ietf.org/html/rfc7231#section-7.1.4
section seems to disallow this use case:
"The "Vary" header field in a response describes "
"what parts of a request message, "
"aside from the method, Host header field, [...]"
I had a chat with the folks in #traffic-server and
they don't see much point in having a Vary: Host header,
plus it was reported that Varnish doesn't like it very
much (namely it does not cache the response when
it sees the header, links of the report in the PR).
I don't see much value in this behavior of httpd so
I am inclined to remove this response header value,
but I'd be glad to get a more experienced opinion.
Stefan Eissing [Thu, 14 Sep 2017 13:01:29 +0000 (13:01 +0000)]
On the trunk:
mod_ssl: adding ssl_policies.h[.in] for policy cipher/protocol definitions. Use
update_policies.py to update manually from Mozilla JSON definitions at
https://statics.tls.security.mozilla.org/server-side-tls-conf.json
Stefan Eissing [Wed, 13 Sep 2017 14:16:49 +0000 (14:16 +0000)]
On the trunk:
mod_md: v0.9.5:
- New directive (srly: what do you expect at this point?) "MDMustStaple on|off" to control if
new certificates are requested with the OCSP Must Staple extension.
- Known limitation: when the server is configured to ditch and restart child processes, for example
after a certain number of connections/requests, the mod_md watchdog instance might migrate
to a new child process. Since not all its state is persisted, some messsages might appear a
second time in the logs.
- Adding checks when 'MDRequireHttps' is used. It is considered an error when 'MDPortMap 443:-'
is used - which negates that a https: port exists. Also, a warning is logged if no
VirtualHost can be found for a Managed Domain that has port 443 (or the mapped one) in
its address list.
- New directive 'MDRequireHttps' for redirecting http: traffic to a Managed Domain, permanently
or temporarily.
- Fix for using a fallback certificate on initial signup of a Managed Domain. Requires also
a changed mod_ssl patch (v5) to take effect.
- compatibility with libressl
Joe Orton [Wed, 13 Sep 2017 10:59:51 +0000 (10:59 +0000)]
* server/protocol.c (ap_content_length_filter): Rewrite the content
length filter to avoid arbitrary memory consumption for streaming
responses (e.g. large CGI script output). Ensures C-L is still
generated in common cases (static content, small CGI script output),
but this DOES change behaviour and some responses will end up
chunked rather than C-L computed.
docs: update the prettify.js files with new directives
Procedure that I've used:
1) Copy https://httpd.apache.org/docs/trunk/mod/directives.html
to a text file.
2) Generate a csv with something like
cat /tmp/trunk_directives | sort | tr "\n" ","
3) Replace the content of CONFIG_KEYWORDS in prettify.js
with the list generated in 2)
4) Run the command the MINIFY command to generate prettify.min.js
This commit should hopefully allow a better syntax highlighting
in our docs examples.
Stefan Eissing [Fri, 8 Sep 2017 14:55:04 +0000 (14:55 +0000)]
On the trunk:
mod_md: v0.9.2: new directive 'MDHttpProxy' to define a proxy for outgoing connection,
some minor bugfixes, twiddle the build system to avoid non-pic code generation.
Stefan Eissing [Tue, 5 Sep 2017 13:10:11 +0000 (13:10 +0000)]
On the trunk:
*) mod_md: v0.9.1:
- various fixes in MDRenewWindow handling when specifying percent. Serialization changed. If
someone already used percent configurations, it is advised to change these to a new value,
reload and change back to the wanted ones.
- various fixes in handling of MDPrivateKeys when specifying 2048 bits (the default) explicitly.
- mod_md version removed from top level md_store.json file. The store has its own format version
to facilitate upgrades.
Stefan Eissing [Mon, 4 Sep 2017 15:10:59 +0000 (15:10 +0000)]
On the trunk:
*) mod_http2: DoS flow control protection is less agressive as long as active tasks stay
below worker capacity. Intended to fix problems with media streaming.
Stefan Eissing [Mon, 4 Sep 2017 14:07:29 +0000 (14:07 +0000)]
On the trunk:
mod_md:
* Improved interface to mod_ssl for fallback handling. Backward compatible to previous mod_ssl
patch, but fallbacks will not work.
* Provide a temporary, self-signed certificate with a speaking command and domain name if we
have no other cert for a Managed Domain, yet. Refs github issue #32
* Continue to provide expired or not-completely matching, existing certificate for a Managed
Domain until the renewal was successful. This is helpful when one adds a DNS name to
a MD, so the previous domains can be served while a new cert is requested.
* All files necessary to run tests are not in the release package.
* Making "http-01" the preferred challenge type again, as people "tls-sni-01" requires at least
one working certificate vhost right now - which not everyone has.
* moved part of the MD sanity checks from post_config to check_config phase, allowing for error
detection in check-only runs.
Luca Toscano [Mon, 28 Aug 2017 12:34:58 +0000 (12:34 +0000)]
synopsis.xsl: fix broken translation builds
This commit is a follow up of r1805189, in which
a new logic was added to allow to repeat a directive
name only if its type is different (like SSLPolicy
and <SSLPolicy>). The change broken french translations
since the $this variable, containing the translated
sections, was not used anymore.
The XPath code could surely be improved, but it seems
more pressing to allow our translators to get back
to their daily work without interference.
build.sh validate-* worked fine, as well as the build.sh fr
translation.
Fix a compilation warning introduced by r1802040.
mod_proxy_fcgi.c:893:19: warning: ‘flushpoll’ may be used uninitialized in this function [-Wmaybe-uninitialized]
Luca Toscano [Fri, 18 Aug 2017 08:21:43 +0000 (08:21 +0000)]
doc xsl/dtd: introduce idtype attribute for directivesynopsis
In r1805193 synopsis.xsl was changed to allow two directives
of different type (like <SSLPolicy> and SSLPolicy) to share
the same name but have different ids (and please validate-xml/xhtml).
The downside of this action was that all the quicklinks to
existing directive sections (like <If>, <VirtualHost>, etc..)
were changed, possibly breaking external clients already
referencing them.
This change introduces a new attribute in the directivesynopsis
DTD, namely 'idtype', that will be appended to 'name'
in the id generation by synopsis.xsl. This will rollback
link names to their previous values and will allow documentators
to fine tune directivesynopsis sections as they need
(for example we have recently introduced mod_md's
ManagedDomain/<ManagedDomain>, and modssl's SSLPolicy/<SSLPolicy>).
This approach seems more precise and less invasive to me.
Of course the name of the attribute can be changed later on
to whatever term would fit best, the main concern for me at
the moment is to restore the trunk documentation to its previous
state.
Stefan Eissing [Thu, 17 Aug 2017 14:34:44 +0000 (14:34 +0000)]
On the trunk:
mod_md v0.7.0:
- LIVE: the real Let's Encrypt CA is now live by default! If you need to experiment, configure
MDCertificateAuthority https://acme-staging.api.letsencrypt.org/directory
- When existing, complete certificates are renewed, the activation of the new ones is
delayed by 24 hours (or until the existing ones expire, whatever is earler) to accomodate
for clients with weird clocks, refs #1.
- Fixed store sync when MDCAChallenges was removed again from an MD.
- Fixed crash when MD matched the base server, fixes #23
- Fixed watchgod resetting staging when server processes disappeared (e.g. reached
max requests or other limits).