From 3e4e402daa6429ee74cfa2d20543d8495b0bfa3b Mon Sep 17 00:00:00 2001 From: Jim Jagielski Date: Thu, 12 May 2016 21:29:29 +0000 Subject: [PATCH] Merge r1729208, r1735668, r1735931, r1735935, r1735942 from trunk: let proxy handler forward ALPN protocol strings for ssl proxy connections Remove leftover comment APLOGNO update for mod_proxy_http2 fix APLOGNO at wrong place, me stupid h2_proxy_session: fill in missing APLOGNO()s. Submitted by: icing, jailletc36, icing, icing, ylavic Reviewed/backported by: jim git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1743576 13f79535-47bb-0310-9956-ffa450edef68 --- CHANGES | 5 +++++ STATUS | 10 ---------- modules/http2/NWGNUmakefile | 2 +- modules/http2/config2.m4 | 25 ++++++++++++++++++++++++ modules/http2/h2_session.c | 1 - modules/ssl/ssl_engine_io.c | 38 +++++++++++++++++++++++++++++++++++++ 6 files changed, 69 insertions(+), 12 deletions(-) diff --git a/CHANGES b/CHANGES index a2fc327e9a..e1a3b49d45 100644 --- a/CHANGES +++ b/CHANGES @@ -95,6 +95,11 @@ Changes with Apache 2.4.19 *) mod_authz_host: Add a new "forward-dns" authorization type, not relying on reverse DNS lookups. [Fabien] + *) mod_proxy_http2: new experimental http2 proxy module for h2: and h2c: proxy + urls. Uses backend connections for concurrent requests if frontend + connection is http2 as well. + [Stefan Eissing] + *) mod_ssl: Add hooks to allow other modules to perform processing at several stages of initialization and connection handling. See mod_ssl_openssl.h. [Jeff Trawick] diff --git a/STATUS b/STATUS index 59f1b2925a..6ca83741a9 100644 --- a/STATUS +++ b/STATUS @@ -114,16 +114,6 @@ RELEASE SHOWSTOPPERS: PATCHES ACCEPTED TO BACKPORT FROM TRUNK: [ start all new proposals below, under PATCHES PROPOSED. ] - *) mod_proxy_http2: add http2 proxy support in new, experimental module. - Includes backport of r1729208 to set ALPN protocols for ssl backend - connections. - Trunk version of patch: - Backport version for 2.4.x of patch: https://www.eissing.org/proxy_http2_2.4v4.patch - +1: icing, ylavic, jim - updated patch after review by cjaillet, merged 1735668,1735748 from trunk - updated patch with APLOGNOs by merging 1735931,1735935 from trunk - updated patch with APLOGNOs by merging 1735942 from trunk - PATCHES PROPOSED TO BACKPORT FROM TRUNK: [ New proposals should be added at the end of the list ] diff --git a/modules/http2/NWGNUmakefile b/modules/http2/NWGNUmakefile index e97efcaa26..d4a51ed304 100644 --- a/modules/http2/NWGNUmakefile +++ b/modules/http2/NWGNUmakefile @@ -153,7 +153,7 @@ XDCDATA = # TARGET_nlm = \ $(OBJDIR)/mod_http2.nlm \ - $(OBJDIR)/mod_http2.nlm \ + $(OBJDIR)/proxyht2.nlm \ $(EOLIST) # diff --git a/modules/http2/config2.m4 b/modules/http2/config2.m4 index 9919bf0883..053e4ca094 100644 --- a/modules/http2/config2.m4 +++ b/modules/http2/config2.m4 @@ -197,6 +197,31 @@ is usually linked shared and requires loading. ], $http2_objs, , most, [ +dnl # list of module object files +proxy_http2_objs="dnl +mod_proxy_http2.lo dnl +h2_int_queue.lo dnl +h2_proxy_session.lo dnl +h2_request.lo dnl +h2_util.lo dnl +" + +dnl # hook module into the Autoconf mechanism (--enable-proxy_http2) +APACHE_MODULE(proxy_http2, [HTTP/2 proxy module. This module requires a libnghttp2 installation. +See --with-nghttp2 on how to manage non-standard locations. Also requires --enable-proxy.], $proxy_http2_objs, , no, [ + APACHE_CHECK_NGHTTP2 + if test "$ac_cv_nghttp2" = "yes" ; then + if test "x$enable_http2" = "xshared"; then + # The only symbol which needs to be exported is the module + # structure, so ask libtool to hide everything else: + APR_ADDTO(MOD_PROXY_HTTP2_LDADD, [-export-symbols-regex proxy_http2_module]) + fi + else + enable_proxy_http2=no + fi +], proxy) + + dnl # end of module specific part APACHE_MODPATH_FINISH diff --git a/modules/http2/h2_session.c b/modules/http2/h2_session.c index 5ee45acf9e..79b3fbc563 100644 --- a/modules/http2/h2_session.c +++ b/modules/http2/h2_session.c @@ -1925,7 +1925,6 @@ static void h2_session_ev_data_read(h2_session *session, int arg, const char *ms case H2_SESSION_ST_WAIT: transit(session, "data read", H2_SESSION_ST_BUSY); break; - /* fall through */ default: /* nop */ break; diff --git a/modules/ssl/ssl_engine_io.c b/modules/ssl/ssl_engine_io.c index 77c484828a..0737640ada 100644 --- a/modules/ssl/ssl_engine_io.c +++ b/modules/ssl/ssl_engine_io.c @@ -1092,6 +1092,9 @@ static apr_status_t ssl_io_filter_handshake(ssl_filter_ctx_t *filter_ctx) if (sslconn->is_proxy) { #ifdef HAVE_TLSEXT apr_ipsubnet_t *ip; +#ifdef HAVE_TLS_ALPN + const char *alpn_note; +#endif #endif const char *hostname_note = apr_table_get(c->notes, "proxy-request-hostname"); @@ -1101,6 +1104,41 @@ static apr_status_t ssl_io_filter_handshake(ssl_filter_ctx_t *filter_ctx) sc = mySrvConfig(server); #ifdef HAVE_TLSEXT +#ifdef HAVE_TLS_ALPN + alpn_note = apr_table_get(c->notes, "proxy-request-alpn-protos"); + if (alpn_note) { + char *protos, *s, *p, *last; + apr_size_t len; + + s = protos = apr_pcalloc(c->pool, strlen(alpn_note)+1); + p = apr_pstrdup(c->pool, alpn_note); + while ((p = apr_strtok(p, ", ", &last))) { + len = last - p - (*last? 1 : 0); + if (len > 255) { + ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, APLOGNO(03309) + "ALPN proxy protocol identifier too long: %s", + p); + ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, server); + return APR_EGENERAL; + } + *s++ = (unsigned char)len; + while (len--) { + *s++ = *p++; + } + p = NULL; + } + ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, c, + "setting alpn protos from '%s', protolen=%d", + alpn_note, (int)(s - protos)); + if (protos != s && SSL_set_alpn_protos(filter_ctx->pssl, + (unsigned char *)protos, + s - protos)) { + ap_log_cerror(APLOG_MARK, APLOG_WARNING, 0, c, APLOGNO(03310) + "error setting alpn protos from '%s'", alpn_note); + ssl_log_ssl_error(SSLLOG_MARK, APLOG_WARNING, server); + } + } +#endif /* defined HAVE_TLS_ALPN */ /* * Enable SNI for backend requests. Make sure we don't do it for * pure SSLv3 connections, and also prevent IP addresses -- 2.40.0