Joe Orton [Wed, 12 Sep 2018 15:54:24 +0000 (15:54 +0000)]
* modules/ssl/ssl_engine_init.c (ssl_init_ctx_protocol):
Disable AUTO_RETRY mode for OpenSSL 1.1.1, which fixes
post-handshake authentication.
(ssl_init_proxy_certs): Fix proxy client cert support with
TLSv1.3, which is now crippled by default.
Follow up to r1840265: really privatize ap_filter_{recycle,adopt_brigade}().
Move ap_filter_adopt_brigade()'s declaration to "server/core.h" (private).
For ap_filter_recycle(), make it static/internal to util_filter (renamed to
recycle_dead_filters() which better fits what it does). It's now also called
unconditionally from ap_filter_input_pending() which itself is always called
after the request processing and from MPM event (as input_pending hook).
Joe Orton [Tue, 11 Sep 2018 16:01:47 +0000 (16:01 +0000)]
* modules/ssl/ssl_engine_kernel.c (ssl_hook_Access_modern): Fail with
403 if SSL_verify_client_post_handshake() fails, e.g. when the
TLS/1.3 client didn't send the Post-Handshake Authentication
extension.
Joe Orton [Tue, 11 Sep 2018 12:57:36 +0000 (12:57 +0000)]
* modules/arch/unix/mod_systemd.c (systemd_pre_mpm, systemd_monitor):
Ignore sd_notify{,f} failure cases as currently recommended by the
systemd API docs.
Joe Orton [Tue, 11 Sep 2018 12:53:30 +0000 (12:53 +0000)]
* modules/arch/unix/mod_systemd.c (systemd_post_config): Fix systemd
service getting stuck reloading if "ExtendedStatus off" is
configured; regression in r1802251.
Follow up to r1840149: core input filter pending data.
Since r1840149 ap_core_input_filter() can't use use f->[priv->]bb directly, so
ap_filter_input_pending() stopped accounting for its pending data.
But ap_core_input_filter() can't (and doesn't need to) setaside its socket
bucket, so ap_filter_setaside_brigade() is not an option. This commit adds
ap_filter_adopt_brigade() which simply moves the given buckets (brigade) into
f->priv->bb, and since this is not something to be done blindly (the buckets
need to have c->pool/bucket_alloc lifetime, which is the case in the core
filter) the function is not AP_DECLAREd/exported thus can be used in core only.
With ap_filter_adopt_brigade() and ap_filter_reinstate_brigade(), the core
input is now ap_filter_input_pending() friendly.
Also, ap_filter_recycle() is no more part of the API (AP_DECLARE removed too),
there really is no point to call it outside core code. MAJOR bumped once again
because of this.
Eric Covener [Thu, 6 Sep 2018 15:24:29 +0000 (15:24 +0000)]
fix StrictHostCheck in single/non-NVH vhosts
While all VH'es are NVH'es in 2.4 and later, something special happens
once a second NVH in a set is added. This case covers the
global server config scenario as well.
util_filter: protect ap_filter_t private fields from external (ab)use.
Introduce opaque struct ap_filter_private to move ap_filter_t "pending", "bb"
and "deferred_pool" fields to the "priv" side of things.
This allows to trust values set internally (only!) in util_filter code, and
make useful assertions between the different functions calls, along with the
usual nice extensibility property.
Likewise, the private struct ap_filter_conn_ctx in conn_rec (from r1839997)
allows now to implement the new ap_acquire_brigade() and ap_release_brigade()
functions useful to get a brigade with c->pool's lifetime. They obsolete
ap_reuse_brigade_from_pool() which is replaced where previously used.
Some comments added in ap_request_core_filter() regarding the lifetime of the
data it plays with, up to EOR...
core: follow up to r1839997: some runtime optimizations.
We don't mind about cleaning up a connection filter when its pool is being
cleaned up already. For request filters, let pending_filter_cleanup() do
nothing if the given filter is not pending (anymore), which allows to save a
cleanup kill when the filter is removed.
Clear (zero) the reused filters (ap_filter_t) on reuse rather than cleanup,
then a single APR_RING_CONCAT() can be used to recycle dead_filters in a one
go.
Always call ap_filter_recycle() in ap_filter_output_pending(), even if no
filter is pending, and while at it fix s/ap_filter_recyle/ap_filter_recycle/
silly typo.
Stefan Eissing [Tue, 4 Sep 2018 08:29:11 +0000 (08:29 +0000)]
On the trunk:
mod_http2: connection IO event handling reworked. Instead of reacting on
incoming bytes, the state machine now acts on incoming frames that are
affecting it. This reduces state transitions.
core: follow up to r1839997: recycle request filters to a delayed ring first.
We want not only ap_filter_output_pending() to be able to access each pending
filter's *f after the EOR is destroyed, but also each request filter to do
the same until it returns.
So request filters are now always cleaned up into a dead_filters ring which is
merged into spare_filters only when ap_filter_recycle() is called explicitely,
that is in ap_process_request_after_handler() and ap_filter_output_pending().
The former takes care of recycling at the end of the request, with any MPM,
while the latter keeps recycling during MPM event's write completion.
core: always allocate filters (ap_filter_t) on f->c->pool.
When filters are allocated on f->r->pool, they may be destroyed any time
underneath themselves which makes it hard for them to be passed the EOR and
forward it (*f can't be dereferenced anymore when the EOR is destroyed, thus
before request filters return).
On the util_filter side, it also makes it impossible to flush pending request
filters when they have set aside the EOR, since f->bb can't be accessed after
it's passed to the f->next.
So we always use f->c->pool to allocate filters and pending brigades, and to
avoid leaks with keepalive requests (long living connections handling multiple
requests), filters and brigades are recycled with a cleanup on f->r->pool.
Recycling is done (generically) with a spare data ring (void pointers), and a
filter(s) context struct is associated with the conn_rec to maintain the rings
by connection, that is:
util_filter: split pending filters ring in two: input and output ones.
Pending input and output are now maintained separately in respectively
c->pending_input_filters and c->pending_output_filters, which improves
both performances and debug-ability.
Also, struct ap_filter_ring is made opaque, it's only used by util_filter
and this will allow us to later change it e.g. to a dual ring+apr_hash to
avoid quadratic search in ap_filter_prepare_brigade().
MMN major bumped due to the change in conn_rec (this is trunk only code
anyway for now).
Yann Ylavic [Wed, 29 Aug 2018 12:27:31 +0000 (12:27 +0000)]
MPMs: early initialize scoreboard's child generation number.
Since [mpm]_note_child_killed uses the scoreboard's generation number for
child_status hook (MPM_CHILD_EXITED), we must initialize it early (i.e. in
[mpm]_note_child_started where MPM_CHILD_STARTED is set) to avoid race
conditions on restart (e.g. storm/loop of restarts) leading to AH00546.
When a rewrite to proxy is configured in the server config, a check is made to make sure mod_proxy is active. But the same is not done if a rewrite to proxy is configured in an .htaccess file.
Basically this patch is the block of code from hook_uri2file that does the proxy check, copied to hook_fixup.
Patch provided by Michael Streeter [mstreeter1 gmail.com], slightly modified to use a new APLOGNO
PR 56264
- Add some links.
- Remove the space in "character set" in the syntax of ProxyFtpDirCharset to avoid confusion (it is 1 parameter only)
- Use the correct syntax for the "default" values, so that they are parsed and correctly displayed in 'quickreference'
- Remove extra [] when directive's parameter are required
- correct the default password: apache-proxy@ instead of apache_proxy@.
This was silently changed in r88745, 17 years ago!
'ap_unescape_urlencoded()' suggests that NULL can be passed to 'unescape_url()'.
So avoid a potential 'strchr(NULL, ...)' which is an undefined behavior.
Yann Ylavic [Fri, 10 Aug 2018 16:15:50 +0000 (16:15 +0000)]
core: ap_filter_output_pending() to flush outer most filters first.
Since previous output filters may use ap_filter_should_yield() to determine
whether they should send more data (e.g. ap_request_core_filter), we need
to flush pending data from the core output filter first, and so on up the
chain.
Otherwise we may enter an infinite loop where ap_request_core_filter() does
nothing on ap_filter_output_pending() called from MPM event.
Rainer Jung [Tue, 7 Aug 2018 10:25:31 +0000 (10:25 +0000)]
mod_status: Complete the data shown for async
MPMs in "auto" mode. Added number of processes,
number of stopping processes and number
of busy and idle workers.
Rainer Jung [Tue, 7 Aug 2018 10:17:33 +0000 (10:17 +0000)]
mod_proxy: Improve the balancer member data shown
in mod_status when "ProxyStatus" is "On":
add "busy" count and show byte counts in auto
mode always in units of kilobytes.
Yann Ylavic [Fri, 3 Aug 2018 09:53:42 +0000 (09:53 +0000)]
event, worker: initialize the objects used by signal_threads() first.
Follow up to r1835845.
If a signal is received early when the MPM children start, signal_threads() may
be called concurrently with start_streads() thus before the latter (or its
underlying threads like the listener_thread) had a chance to create and init
the queues, mutexes, pollset and sockets array used by the former.
So move those initializations to a new setup_threads_runtime() function called
before start_threads(), where the pruntime pool is also created.
If ProxyPassReverse is used for reverse mapping of relative redirects, subsequent ProxyPassReverse statements, whether they are relative or absolute, may fail.
Jim Jagielski [Wed, 1 Aug 2018 11:27:28 +0000 (11:27 +0000)]
Fix PR54848 in a 2.4.x backportable format. Ideally deprecating the use
of ->client in whatever version of 2.4 this is added into would be
more logical.
mod_ratelimit: Don't interfere with "chunked" encoding.
By the time ap_http_header_filter() sends the header brigade and adds the
"CHUNK" filter, we need to garantee that the header went through all the
filters' stack, and more specifically above ap_http_chunk_filter() which
assumes that all it receives is content data.
Since rate_limit_filter() may retain the header brigade, make it run after
ap_http_chunk_filter(), just before AP_FTYPE_CONNECTION filters.
Also, ap_http_header_filter() shouldn't eat the EOS for HEAD/no-body responses.
For instance mod_ratelimit depends on it since r1835168, but any next request
filter may as well to flush and/or bail out approprietely.
This fixes the regression introduced in 2.4.34 (r1835168).
PR 62568.
mod_proxy_http: follow up to r1836588/r1836648: handle unread 100-continue.
When the backend responds with a non-interim response to a 100-continue,
mod_proxy_http won't read the client's body, so make sure "Connection: close"
ends up being added to the response if nobody reads that body later.
The right thing to do at mod_proxy level, rather then forcing AP_CONN_CLOSE,
is to restore r->expecting_100 so that further processing (like error_override
or trying on the next balancer member) can still work.
Eric Covener [Thu, 26 Jul 2018 00:51:31 +0000 (00:51 +0000)]
expand on ProxyPassReverse args
split up the two arguments into their own paragraphs
try to reinforce that the 2nd arg has to match the response
hedaer, and what the first one is used for.
projects / apache / log