Fix alignment in a <highlight> block.
Add directive name in <default> so that 'quickreference.html' is generated with the corresponding default value.
Avoid some duplicated words (i.e. 'to to').
Fix some incorrect directive name in some description.
Fix the description of 'AuthFormBody' which was a copy&paste of 'AuthFormMethod'.
Remove some useless <var></var> around 'On|Off'.
Yann Ylavic [Tue, 22 Oct 2019 10:14:53 +0000 (10:14 +0000)]
mod_ssl: follow up to r1868645.
Restore ssl_callback_ServerNameIndication() even with OpenSSL 1.1.1+, which
depends on its return value (OK/NOACK), mainly on session resumption, for
SSL_get_servername() to consider or ignore the SNI (returning NULL thus
making SSLStrictSNIVHostCheck fail for possibly legitimate cases).
This means that init_vhost() should accurately return whether the SNI exists
in the configured vhosts, even when it's called multiple times (e.g. first
from ClientHello callback and then from SNI callback), so save that state in
sslconn->vhost_found and reuse it.
Yann Ylavic [Sun, 20 Oct 2019 12:31:45 +0000 (12:31 +0000)]
mod_proxy_http: revert r1868625.
The HTTP_IN filter handles "100 Continue" the first time it's called only,
and in spool_reqbody_cl() we have already tried to prefetch the body, so
it's too late.
Yann Ylavic [Sun, 20 Oct 2019 10:50:33 +0000 (10:50 +0000)]
mod_ssl: negotiate the TLS protocol version per name based vhost configuration.
By using the new ClientHello callback provided by OpenSSL 1.1.1, which runs at
the earliest connection stage, we can switch the SSL_CTX of the SSL connection
early enough for OpenSSL to take into account the protocol configuration of the
vhost.
In other words:
SSL_set_SSL_CTX(c->SSL, s->SSL_CTX)
followed by:
SSL_set_{min,max}_proto_version(SSL_CTX_get_{min,max}_proto_version(s->SSL_CTX))
works as expected at this stage (while the same from the SNI callback is
ignored by/due to OpenSSL's state machine).
Extracting the SNI (to select the relevant vhost) in the ClientHello callback
is not as easy as calling SSL_get_servername() though, we have to work with
the raw TLS extensions helpers provided by OpenSSL. I stole this code from a
test in the OpenSSL source code (i.e. client_hello_select_server_ctx() in
test/handshake_helper.c).
We can then call init_vhost() as with the SNI callback (in use only for OpenSSL
versions earlier than 1.1.1 now), and pass it the extracted SNI.
Yann Ylavic [Sat, 19 Oct 2019 13:58:16 +0000 (13:58 +0000)]
mod_proxy_http: follow up to r1868576.
As suggested by Ruediger, let the HTTP_IN filter handle the 100 continue from
spool_reqbody_cl().
Also, according to rfc7231#section-5.1.1, we don't need the interim response
if we "already received some or all of the message body", which is now also
taken into account.
Yann Ylavic [Fri, 18 Oct 2019 07:50:59 +0000 (07:50 +0000)]
mod_proxy_http: Fix 100-continue deadlock for spooled request bodies. PR 63855.
Send "100 Continue", if needed, before fetching/blocking on the request body in
spool_reqbody_cl(), otherwise mod_proxy and the client can wait for each other,
leading to a request timeout (408).
While at it, make so that ap_send_interim_response() uses the default status
line if none is set in r->status_line.
Stefan Eissing [Wed, 16 Oct 2019 12:31:43 +0000 (12:31 +0000)]
*) mod_md: Adding the several new features.
The module offers an implementation of OCSP Stapling that can replace fully or
for a limited set of domains the existing one from mod_ssl. OCSP handling
is part of mod_md's monitoring and message notifications. If can be used
for sites that do not have ACME certificates.
The url for a CTLog Monitor can be configured. It is used in the server-status
to link to the external status page of a certicate.
The MDMessageCmd is called with argument "installed" when a new certificate
has been activated on server restart/reload. This allows for processing of
the new certificate, for example to applications that require it in different
locations or formats.
Ruediger Pluem [Fri, 11 Oct 2019 15:11:40 +0000 (15:11 +0000)]
Fix pool concurrency problems
Create a subpool of the connection pool for worker scoped DNS resolutions.
This is needed to avoid race conditions in using the connection pool by multiple
threads during ramp up.
Recheck after obtaining the lock if we still need to do things or if they
were already done by another thread while we were waiting on the lock.
* modules/proxy/proxy_util.c: Create a subpool of the connection pool for worker
scoped DNS resolutions and use it.
* modules/proxy/mod_proxy.h: Define AP_VOLATILIZE_T and add dns_pool to
struct proxy_conn_pool.
* modules/proxy/mod_proxy_ftp.c: Use dns_pool and consider that
worker->cp->addr is volatile in this location of the code.
Joe Orton [Fri, 4 Oct 2019 09:24:07 +0000 (09:24 +0000)]
* modules/generators/cgi_common.h (discard_script_output): Simplify
slightly and ensure constant rather than unlimited memory
consumption when discarding CGI script output (for e.g. a redirect
response).
Change from previous: mod_cgi will now explicitly discard output when
returning HTTP_MOVED_TEMPORARILY for relative redirects (should not be
functionally different), TRACE1 logging of ap_pass_brigade failures
for mod_cgid is dropped.
* modules/generators/cgi_common.h (cgi_handle_response): New function,
factored out from mod_cgid.
(discard_script_output): Copied function from mod_cgi/d unchanged.
* modules/generator/mod_cgid.c (cgid_handler),
modules/generator/mod_cgi.c (cgi_handler): Use cgi_handle_response.
ap_http_header_filter: avoid double encoding of output headers in traces.
When output headers are logged (TRACE4) in send_all_header_fields(), we don't
need to explicitely ap_escape_logitem() them since ap_log_rerror() takes care
of log files escaping already.
Otherwise, characters like '"' are unncesseralily encoded, and '\\' is doubly
encoded (including for controls).
Joe Orton [Fri, 13 Sep 2019 10:43:16 +0000 (10:43 +0000)]
* modules/mappers/mod_rewrite.c: Enhance trace-level logging to log
line numbers accurately for C99 compilers, and remove odd/awkward
double-parentheses using the rewritelog() macro. For non-C99
compilers do_rewritelog() will now be defined - but as a noop - if
REWRITELOG_DISABLED is defined at compile time.
No functional change at runtime apart from the line numbers being
fixed.
Eric Covener [Fri, 30 Aug 2019 11:58:41 +0000 (11:58 +0000)]
restore use of global mutex under !APR_HAS_THREADS
followup to r1852442 which appears to have been too agressive in wrapping
blocks with #if APR_HAS_THREADS. With !APR_HAS_THREADS a global mutex
is a proc mutex.
Ruediger Pluem [Thu, 29 Aug 2019 14:53:04 +0000 (14:53 +0000)]
* Make it obsolete to supply a starting pool
Improve dump_all_pools by making it obsolete to supply a starting pool.
If the parameter is not supplied ap_pglobal which is a global symbol is
used as starting pool.
The pool parameter is still accepted and considered for backwards
compatibility or if ap_pglobal cannot be resolved.
Yann Ylavic [Fri, 23 Aug 2019 10:31:01 +0000 (10:31 +0000)]
mod_ssl: OCSP does not apply to proxy mode, fix verify context.
Since ssl_callback_SSLVerify() is called for both server and proxy modes,
use myCtxConfig()->ocsp_mask to check the right mode/configuration (i.e.
none for proxy in any case).
Add some missing <module> tags.
Add some missing <directive> tags.
Add some missing <directive module=...> links
Add the name of the directive in <default>, so that 'quickreference.html' is generated correctly.
In the AuthnCacheContext directive, fix the way 'directory' and 'server' are displayed. They are key-words and should not be in italic.
Fix a signed/unsigned comparison that can never match.
-1 is a valid length value (for socket, pipe and cgi buckets for example)
All path I've checked cast the -1 to (apr_size_t) in order for the comparison to work. So do it as well here.
This has been like that in trunk since r708144, about 11 years ago, so I assume that it is not really an issue.
Fix a corner case where automatic APLOGNO number generation generates invalid code. (see r1864733 fixed in r1864736, thx Eric)
Not sure why this ,? is there, but it looks uneeded to me.
There is maybe a link with the patterns used in 'find-messages.cocci'. They seem to add some extra , after the empty APLOGNO() it generates.
I will investigate further and fix 'find-messages.cocci' accordingly if needed.