Jan Kaluža [Thu, 19 Mar 2015 11:29:55 +0000 (11:29 +0000)]
* mod_proxy: Allow setting options to globally defined balancer from
ProxyPass used in VirtualHost. Balancers are now merged using the new
merge_balancers method which merges the balancers options.
Jan Kaluža [Thu, 19 Mar 2015 07:46:35 +0000 (07:46 +0000)]
* mod_access_compat, mod_authz_host: Handle '#' character.
For mod_access_compat, disable '#' in hostname completely.
For mod_authz_host, treat '#' as a comment and ignore everything after that.
This allows better handling of admin errors like
'Require host localhost# Add example.com later'.
Yann Ylavic [Sat, 14 Mar 2015 00:09:32 +0000 (00:09 +0000)]
mpm_motorz: follow up to r1666482.
We only need one compare function for add semantic with apr_skiplist_insert()
and unique timers (pointers). It also works with apr_skiplist_remove() and
apr_skiplist_find().
Yann Ylavic [Sat, 14 Mar 2015 00:06:21 +0000 (00:06 +0000)]
mpm_event: follow up to r1666468.
We only need one compare function for add semantic with apr_skiplist_insert()
and unique timers (pointers). It also should work with apr_skiplist_remove()
and apr_skiplist_find(), be they used some day.
Rainer Jung [Fri, 13 Mar 2015 12:15:40 +0000 (12:15 +0000)]
Small changes to rotatelogs:
- add "-n num" to help text
- clarify in help text, that "program is invoked"
is the "-p" case
- prevent crash with "-v" (verbose) if no
"-p prog" is used
- add one space for formatting
Jan Kaluža [Fri, 13 Mar 2015 07:32:46 +0000 (07:32 +0000)]
* mod_ssl: fix small memory leak in ssl_init_server_certs when ECDH is used.
SSL_CTX_set_tmp_ecdh increases reference count, so we have to call EC_KEY_free,
otherwise eckey will not be freed.
Avoid a potential integer underflow in the lock timeout value sent back to a client. The answer to a LOCK request could be an extremly large integer if the time needed to lock the resource was longer that the requested timeout given in the LOCK request. In such a case, we now answer "Second-0". PR55420
Yann Ylavic [Tue, 10 Mar 2015 17:25:17 +0000 (17:25 +0000)]
core, modules: like r1657897 but for core and other modules than mod_proxy.
More uses of ap_map_http_request_error() and AP_FILTER_ERROR so that we never
return an HTTP error status from a handler if some filter generated a response
already.
That is, from a handler, either ap_get_brigade() (an input filter) returned
AP_FILTER_ERROR and we must forward it to ap_die(), or ap_pass_brigade() (an
output filter) failed with any status and we must return AP_FILTER_ERROR in
any case for ap_die() to determine whether a response is needed or not.
Jan Kaluža [Mon, 9 Mar 2015 12:48:11 +0000 (12:48 +0000)]
* mod_cache: Preserve the Content-Type in case of 304 response.
304 does not contain Content-Type and mod_mime regenerates
the Content-Type based on the r->filename. This later leads to original
Content-Type to be lost (overwriten by whatever mod_mime generates).
Yann Ylavic [Mon, 9 Mar 2015 12:45:56 +0000 (12:45 +0000)]
mod_proxy: use the original (non absolute) form of the request-line's URI
for requests embedded in CONNECT payloads used to connect SSL backends via
a ProxyRemote forward-proxy. PR 55892.
Ruediger Pluem [Fri, 6 Mar 2015 19:31:42 +0000 (19:31 +0000)]
* Do not reset the retry timeout if the worker is in error at this stage even
if the connection to the backend was successful. It was likely set into
error by a different thread / process in parallel e.g. for a timeout or
bad status. We should respect this and should not continue with a connection
via this worker even if we got one.
Yann Ylavic [Fri, 6 Mar 2015 09:55:16 +0000 (09:55 +0000)]
core: Follow up to r1664205.
Don't let invalid r->proto_num/protocol out of read_request_line() reach
the output filters (when responding with 400 Bad Request).
Suggested by: rpluem
Jan Kaluža [Fri, 6 Mar 2015 09:14:07 +0000 (09:14 +0000)]
*) mod_rewrite: Add support for starting External Rewriting Programs
as non-root user on UNIX systems by specifying username and group name
as third argument of RewriteMap directive.
Eric Covener [Thu, 5 Mar 2015 02:33:16 +0000 (02:33 +0000)]
*) SECURITY: CVE-2015-0253 (cve.mitre.org)
core: Fix a crash introduced in with ErrorDocument 400 pointing
to a local URL-path with the INCLUDES filter active, introduced
in 2.4.11. PR 57531. [Yann Ylavic]
Yann Ylavic [Wed, 4 Mar 2015 16:58:01 +0000 (16:58 +0000)]
core: If explicitly configured, use the KeepaliveTimeout value of the
virtual host which handled the latest request on the connection, or by
default the one of the first virtual host bound to the same IP:port.
For non-async MPMs, use either r->server's or c->base_server's value in
ap_process_http_sync_connection() depending on a new server_rec's flag
called keep_alive_timeout_set and determined at config time.
For event MPM, use a queue per timeout value, chaining the queues per
type (keepalive wrt KeepAliveTimeout, write completion wrt to Timeout)
so that maintenance can be done on all the queues from the head, and such
that insertions/maintenance remain in O(1).
A server config is created and pointing to the queue of each vhost at
post_config time, hence the config can be associated to the connection
state (cs) at post_read_request time (keep_alive_timeout_set is used to
determine r->server vs c->base_server here), and we can simply insert
with TO_QUEUE_INSERT(cs->sc->q, cs). PR56226.
While at it, since each queue now embeds it own timeout and hence the
expiration_time of the cs has changed to a queue_timestamp (the time it
was queued), we can detect clock skews and expire entries immediatly if
the system is set (eg. far) in the past during runtime and we want to
avoid waiting for (eg.) centuries before the current logic kills them.
Any entry which is registered above now + q->timeout is concerned, and
is now cleaned from the queue when encountered. PR57374.
Yann Ylavic [Sun, 1 Mar 2015 00:44:49 +0000 (00:44 +0000)]
mpm_event: follow up to r1538490, r1545736, r1604350, r1639614 and r1642868.
Clear and restore sbh in notify_suspend() and notify_resume() respectively.
Jeff Trawick [Sun, 22 Feb 2015 20:12:26 +0000 (20:12 +0000)]
mod_ssl_ct needs a per-vhost module config even if a vhost
doesn't contain mod_ssl_ct's own directives, because the
module config needs to represent that vhost's certificates.
Jeff Trawick [Sun, 22 Feb 2015 15:50:54 +0000 (15:50 +0000)]
Provide separate SSL_CT_*_STATUS variables for client vs. proxy
connections, courtesy of a new flag passed from mod_ssl on its
pre_connection "optional hook."
Graham Leggett [Sat, 21 Feb 2015 00:33:34 +0000 (00:33 +0000)]
mod_ssl: Add the SSL_CLIENT_CERT_RFC4523_CEA variable, which provides
a combination of certificate serialNumber and issuer as defined by
CertificateExactMatch in RFC4523.
Yann Ylavic [Tue, 10 Feb 2015 17:25:54 +0000 (17:25 +0000)]
mod_proxy_http: Use the "Connection: close" header for requests to
backends not recycling connections (disablereuse), including the default
reverse and forward proxies.
Yann Ylavic [Tue, 10 Feb 2015 17:03:05 +0000 (17:03 +0000)]
mod_proxy_http: Don't expect the backend to ack the "Connection: close" to
finally close those not meant to be kept alive by SetEnv proxy-nokeepalive
or force-proxy-request-1.0, and respond with 502 instead of 400 if its
Connection header is invalid.