Eric Covener [Thu, 1 Aug 2019 13:58:45 +0000 (13:58 +0000)]
don't mess with AP_ENABLE_EXCEPTION_HOOK on trunk
mpm_common defines it later anyway:
In file included from mod_md.c:25:
In file included from /Users/covener/SRC/httpd-trunk/include/mpm_common.h:40:
In file included from /Users/covener/SRC/httpd-trunk/include/ap_config.h:184:
/Users/covener/SRC/httpd-trunk/include/ap_config_auto.h:11:9: error: 'AP_ENABLE_EXCEPTION_HOOK' macro redefined [-Werror,-Wmacro-redefined]
Stefan Eissing [Thu, 18 Jul 2019 12:31:01 +0000 (12:31 +0000)]
*) mod_http2: core setting "LimitRequestFieldSize" is not additionally checked on
merged header fields, just as HTTP/1.1 does. [Stefan Eissing, Michael Kaufmann]
Joe Orton [Wed, 17 Jul 2019 07:51:53 +0000 (07:51 +0000)]
mod_cgid: Continuation of r1862968, experimental fd passing support.
Split out CGI bucket implementation from mod_cgi and use in both
mod_cgi and mod_cgid, bringing stderr handling in mod_cgid up to par
with mod_cgi. (There is a lot of code which has been copied between
mod_cgi{,d} so there's scope for further reduction of source
duplication between the modules using this header)
* modules/generators/cgi_common.h: Copied from mod_cgi.c, removed
everything but the CGI bucket implementation with only one change:
(struct cgi_bucket_data, cgi_bucket_create, cgi_bucket_read): Take a
timeout on bucket creation, store and use on reads.
* modules/generators/mod_cgi.c [APR_FILES_AS_SOCKETS]: Include
cgi_common.h.
(cgi_handler): Pass configured timeout to CGI bucket.
* modules/generators/mod_cgid.c: Include cgi_common.h.
(log_script_err): Copy from mod_cgi.c.
(log_script): Use log_script_err.
(send_req): Take fd for stderr.
(cgid_child_errfn): Handle fd-passing case by writing error
to stderr for client to pass through ap_log_rerror.
(cgid_handler): Create pipe for stderr, pass write-end to
server via send_req, use read-end to create CGI bucket. Handle
stderr output in failure paths.
Joe Orton [Fri, 12 Jul 2019 12:09:04 +0000 (12:09 +0000)]
Add experimental support for fd passing in mod_cgid. Attaches CGI
script stderr to the error log specific to the vhost, by passing the
appropriate fd over the AF_UNIX socket from the request handling
thread to the cgid server process.
* modules/generators/mod_cgid.c (sock_readhdr): New function, also
returns auxiliary control data (the stderr fd) if available.
(sock_write): Take optional aux fd argument, send it as control
data. (send_req, get_req): Adjust accordingly to pass/receive the
stderr fd.
(cgid_server): Use passed fd if available, limit the lifetime.
Stefan Eissing [Wed, 10 Jul 2019 10:18:15 +0000 (10:18 +0000)]
*) mod_http2: fixed a bug that prevented proper stream cleanup when connection
throttling was in place. Stream resets by clients on streams initiated by them
are counted as possible trigger for throttling.
Stefan Eissing [Tue, 9 Jul 2019 16:57:59 +0000 (16:57 +0000)]
* moving the openssl related new hooks into mod_ssl_openssl.h
* chaning type parameter to openssl types
* adding explanation of return value in get_stapling_status()
* adding array element description for add_cert_files and add_fallback_cert_files hooks
Stefan Eissing [Wed, 3 Jul 2019 13:46:31 +0000 (13:46 +0000)]
*) mod_http2/mpm_event: Fixes the behaviour when a HTTP/2 connection has nothing
more to write with streams ongoing (flow control block). The timeout waiting
for the client to send WINODW_UPDATE was incorrectly KeepAliveTimeout and not
Timeout as it should be. Fixes PR 63534. [Yann Ylavic, Stefan Eissing]
Stefan Eissing [Mon, 1 Jul 2019 14:22:04 +0000 (14:22 +0000)]
*) mod_ssl/mod_md:
Adding 2 new hooks for init/get of OCSP stapling status information when
other modules want to provide those. Falls back to own implementation with
same behaviour as before.
Ruediger Pluem [Fri, 28 Jun 2019 08:50:31 +0000 (08:50 +0000)]
* Replace apr_psprintf with apr_pstrcat where the format strings only
contain %s to improve efficiency. Leave out error messages as they
are not on a crtical code path and error message become less readable
when taking out the format specifiers.
Joe Orton [Thu, 27 Jun 2019 09:06:56 +0000 (09:06 +0000)]
* docs/conf/magic: Allow mod_mime_magic to return "audio/x-wav" for
WAV files, and omit returning "audio/unknown" for other RIFF
format files. Having a MIME type defined on a continuation line
*and* the preceding top-level match breaks mod_mime_magic, which
treats the second result "printed" as the MIME encoding. Neither
audio/x-wav nor audio/unknown are IANA registered, though Firefox
and Chrome both appear to recognize the former. Since the RIFF
format can contain non-audio media, returning audio/unknown as
a fallback for all RIFF files appears to be bogus anyway.
Stefan Eissing [Tue, 25 Jun 2019 15:21:10 +0000 (15:21 +0000)]
*) mod_ssl/mod_md: reversing dependency by letting mod_ssl offer hooks for
adding certificates and keys to a virtual host. An additional hook allows
answering special TLS connections as used in ACME challenges.
Joe Orton [Tue, 25 Jun 2019 08:54:01 +0000 (08:54 +0000)]
Simplify handling of short-lived pool for dav_propdb in mod_dav. No
functional change.
* modules/dav/main/props.c (dav_popen_propdb): Rename from
dav_open_propdb, take a pool argument.
(dav_open_propdb): Reimplement in terms of above, using
r->pool.
(dav_propfind_walker): Switch to using dav_open_propdb
with scratchpool.
Stefan Eissing [Mon, 24 Jun 2019 16:04:32 +0000 (16:04 +0000)]
*) mod_md: bringing over v2.0.6 from github.
- supports the ACMEv2 protocol
- supports the new challenge method 'tls-alpn-01'
- supports command configuration to setup/teardown 'dns-01' challenges
- supports wildcard certificates when dns challenges are configured
- ACMEv2 is the new default and will be used on the next certificate renewal,
unless another MDCertificateAuthority is configured
- challenge type 'tls-sni-01' has been removed as CAs do not offer this any longer
- a domain exposes its status at https://<domain>/.httpd/certificate-status
- Managed Domains are now in Apache's 'server-status' page
- A new handler 'md-status' exposes verbose status information in JSON format
- new directives "MDCertificateFile" and "MDCertificateKeyFile" to configure a
Managed Domain that uses static files. Auto-renewal is turned off for those.
- new MDMessageCmd that is invoked on several events: 'renewed', 'expiring' and
'errored'. New 'MDWarnWindow' directive to configure when expiration warnings
shall be issued.
- ACMEv2 endpoints use the GET via empty POST way of accessing resources, see
announcement by Let's Encrypt:
https://community.letsencrypt.org/t/acme-v2-scheduled-deprecation-of-unauthenticated-resource-gets/74380
Graham Leggett [Sun, 23 Jun 2019 21:10:23 +0000 (21:10 +0000)]
After reinstatement of DSO support in APR/APR-util, revert r1837437,
r1837435, r1834553, r1833598, r1833452, r1833383, r1833368.
Undoes the following:
mod_ssl: OpenSSL now initializes fully through APR, use that.
mod_ssl: build with LibreSSL.
LibreSSL seems to be openssl-1.1 API compatible only in version 2.8 (master).
So use that for MODSSL_USE_OPENSSL_PRE_1_1_API instead of 2.7, the two 2.7
compatibility-exceptions are handled explicitely but overall it's simpler.
Regarding CRYPTO_malloc_init vs OPENSSL_malloc_init, libreSSL uses none, the
former used to be a no-op but depends is LIBRESSL_INTERNAL in latest versions,
while the latter has never been (and will never be) defined. So don't call any
with LibreSSL.
Follow up to r1833368: share openssl between modules.
Both libapr[-util], the core PRNG, mod_ssl, mod_crypto and mod_session_crypto
can use the same crypto library (e.g. openssl), use the new APR crypto loading
API so that they can work together and initialize/terminate the lib either once
for all or on demand and reusable by the others.
Follow up to r1833368: apr_crypto_prng_after_fork() now used a PID.
Make use of the new apr_crypto_rng API if available.
Joe Orton [Fri, 21 Jun 2019 13:30:17 +0000 (13:30 +0000)]
* configure.in, acinclude.m4: Inline APACHE_GEN_MAKEFILES in AC_CONFIG_COMMANDS
and run during the "normal" phase of ./config.status rather than as init-cmds.
Joe Orton [Thu, 20 Jun 2019 13:00:37 +0000 (13:00 +0000)]
Add an --enable-reduced-exports configure option to link libmain.a
using ld's --whole-archive mode and avoid building exports.c entirely.
This reduces the size of a minimal httpd binary by 18% on Linux/x86_64
(687K to 560K) with no difference to the set of symbols available to
modules.
This option is only appropriate to use if using a shared libapr*
build, hence is non-default.
* configure.in: Add --enable-reduced-exports; disable httpdunit build
if used. Define AP_FORCE_EXPORTS if not enabled (default) in place
of AP_USING_AUTOCONF.
* server/main.c (ap_suck_in_APR): Only build if AP_FORCE_EXPORTS is
defined.
* Makefile.in: Link libmain.la using LIBMAIN_LIB.
* server/Makefile.in: Conditionally build exports.c into libmain.
Eric Covener [Mon, 17 Jun 2019 18:35:24 +0000 (18:35 +0000)]
add RedirectRelative directive to allow relative Redirect targets
2616 forbade relative redirect URLs, but 7231 allows them
Early 2.2 maintenance levels did not fix them up, but later 2.2 and all 2.4
fixed them up with ap_construct_url().
Allow opt-in to not fixing up relative URLs with RedirectRelative
Follow up to r1847232.
There is no point to use "old" numbers in recent commit.
Also avoid number duplication. The messages are the same but in different code path, so having different numbers makes sense.
This also avoids a warning when running:
make update-log-msg-tags
Joe Orton [Thu, 13 Jun 2019 15:34:28 +0000 (15:34 +0000)]
* modules/ssl/ssl_engine_config.c (ssl_cmd_check_file):
If dumping the config, don't validate the paths. Allows
e.g. "httpd -L" to work w/ certs configured but not present,
doesn't affect "httpd -t".
Stefan Eissing [Wed, 22 May 2019 13:41:36 +0000 (13:41 +0000)]
*) mod_http2: internal code cleanups and simplifications. Common output code for
h2 and h2c protocols, using nested mutex locks for simplified calls. [Stefan Eissing]
Ruediger Pluem [Wed, 22 May 2019 09:54:05 +0000 (09:54 +0000)]
* Fix the logic to follow the comment. So far we only forwarded the header if
we have NOT used it AND the env variable was set. But if we have not
used it we should forward it in any case independent of the env variable
setting.
This aligns also with the behaviour in ap_proxy_create_hdrbrgd.
Yann Ylavic [Fri, 17 May 2019 08:42:17 +0000 (08:42 +0000)]
Follow up to r1859371: extend to other ap_proxy_connection_create[_ex]() users.
This function now now handles SSL reuse as well as the "proxy-request-hostname"
note (SNI), so let's also call it unconditionnaly in all proxy modules.
On the mod_ssl side, since this note has the lifetime of the connection, don't
reset/unset it during handshake (ssl_io_filter_handshake).
Arrange balancer_handler() to be able to call
balancer_process_balancer_worker() to create/enable/disable
workers from another modules via a provider.
No functional changes in this first commit.
projects / apache / log