stopping a child process. The additional `graceful` parameter allows
registered hooks to free resources early during a graceful shutdown.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1891919 13f79535-47bb-0310-9956-ffa450edef68
- Domain names in `<MDomain ...>` can now appear in quoted form.
- Fixed a failure in ACME challenge selection that aborted further searches
when the tls-alpn-01 method did not seem to be suitable.
- Changed the tls-alpn-01 setup to only become unsuitable when none of the
dns names showed support for a configured 'Protocols ... acme-tls/1'. This
allows use of tls-alpn-01 for dns names that are not mapped to a VirtualHost.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1891683 13f79535-47bb-0310-9956-ffa450edef68
- Added a timeout to h2 worker cleanup to exit latest after 5 seconds of
waiting on idle workers to terminate. This happens after all connections
have been processed. a WARNING is logged in case workers lagged behind.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1891566 13f79535-47bb-0310-9956-ffa450edef68
Clear the workers created in ap_proxy_sync_balancer(), notably ->local_status
for below ap_proxy_initialize_worker() to initialize all the child structures
like ->cp and ->cp->reslist, avoiding a possible crash when the workers are
used at runtime.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1891477 13f79535-47bb-0310-9956-ffa450edef68
- Aborting requests via RST_STREAM no longer affect the available
resources of a connection when the first chunk of the response
body has been sent.
- H2Min/MaxWorkers behave as intended again. The module will initially
create H2MinWorkers threads and add up to H2MaxWorkers when needed. These
additional workers time out when idle after H2MaxWorkerIdleSeconds and
disappear again.
- When the shutdown of a child is detected (e.g. graceful shutdown), the
module will terminate all idle workers above H2MinWorkers right away.
This detection currently only happens when a HTTP/2 connection is active.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1891312 13f79535-47bb-0310-9956-ffa450edef68
We can't truncate ProxyMatch's worker name/url to the first '$' substitution
without possibly colliding with other workers. This also makes the matching
done at runtime by ap_proxy_strcmp_ematch() completely pointless.
To fix this and still address r1878467 (i.e. make http://host:port$1 a "valid"
URL), we need to remove '$' substitutions from the :port part of the URL only
since it's allowed anywhere else by apr_uri_parse().
So let's strip them before apr_uri_parse() and prepend them back in the path
before apr_uri_unparse() to restore the original URL. Non-matchable workers are
not concerned so ap_proxy_define_worker() is made a local helper (w/o the ap_
prefix) which takes "matchable" as argument and can then be called by both
ap_proxy_define_[match_]worker() functions.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1891206 13f79535-47bb-0310-9956-ffa450edef68
connections. If ALPN protocols are provided and sent to the
remote server, the received protocol selected is inspected
and checked for a match. Without match, the peer handshake
fails.
An exception is the proposal of "http/1.1" where it is
accepted if the remote server did not answer ALPN with
a selected protocol. This accomodates for hosts that do
not observe/support ALPN and speak http/1.x be default.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1890693 13f79535-47bb-0310-9956-ffa450edef68
Adding `outgoing` flag to conn_rec, indicating a connection is
initiated by the server to somewhere, in contrast to incoming
connections from clients.
Adding 'ap_ssl_bind_outgoing()` function that marks a connection
as outgoing and is used by mod_proxy instead of the previous
optional function `ssl_engine_set`. This enables other SSL
module to secure proxy connections.
The optional functions `ssl_engine_set`, `ssl_engine_disable` and
`ssl_proxy_enable` are now provided by the core to have backward
compatibility with non-httpd modules that might use them. mod_ssl
itself no longer registers these functions, but keeps them in its
header for backward compatibility.
The core provided optional function wrap any registered function
like it was done for `ssl_is_ssl`.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1890605 13f79535-47bb-0310-9956-ffa450edef68
into mod_log_config itself. These now use the global `ap_ssl_var_lookup()`
functions and work for all running SSL modules.
The dependency from mod_ssl to mod_log_config and its header is removed.
mod_ssl now provides the content of "{errstr}c" as variable "SSL_CLIENT_VERIFY_ERRSTR".
This change should be fully compatible to all deployed configurations.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1890003 13f79535-47bb-0310-9956-ffa450edef68
Daniel reported on user@ that hc connections do not timeout according to
the worker's tumeout= configuration, this fixes it.
While at it, copy the other timeout settings too.
Reported by: dferradal
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1889936 13f79535-47bb-0310-9956-ffa450edef68
allows modules to access and provide OCSP response data without being tied
of each other. The data is exchanged in standard, portable formats (PEM encoded
certificates and DER encoded responses), so that the actual SSL/crypto
implementations used by the modules are independant of each other.
Registration and retrieval happen in the context of a server (server_rec)
which modules may use to decide if they are configured for this or not.
The area of changes:
1. core: defines 2 functions in include/http_ssl.h, so that modules may
register a certificate, together with its issuer certificate for OCSP
response provisioning and ask for current response data (DER bytes) later.
Also, 2 hooks are defined that allow modules to implement this OCSP
provisioning.
2. mod_ssl uses the new functions, in addition to what it did already, to
register its certificates this way. If no one is interested in providing
OCSP, it falls back to its own (if configured) stapling implementation.
3. mod_md registers itself at the core hooks for OCSP provisioning. Depending
on configuration, it will accept registrations of its own certificates only,
all certficates or none.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1888723 13f79535-47bb-0310-9956-ffa450edef68
to PEM, to avoid newline mangling issues when using PEM in header
values.
* modules/ssl/ssl_private.h (SSL_OPT_EXPORTCB64DATA): New constant.
* modules/ssl/ssl_engine_vars.c (ssl_var_lookup_ssl_cert_data):
New function, replacing ssl_var_lookup_ssl_cert_PEM.
(ssl_var_lookup_ssl): Use it, and add _B64CERT variants of
SSL_{CLIENT,SERVER}_CERT.
(ssl_var_lookup_ssl_cert_chain): Use it.
* modules/ssl/ssl_engine_config.c (ssl_cmd_SSLOptions): Support
"ExportBase64CertData" argument.
* modules/ssl/ssl_engine_kernel.c (extract_to_env): New function.
(ssl_hook_Fixup): Use it, also export _B64CERT variables if
SSL_OPT_EXPORTCB64DATA is set; simplify the client cert chain
handling.
PR: 65169
Reviewed by: michaelo
Github: closes#177
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1887811 13f79535-47bb-0310-9956-ffa450edef68
mod_md: tolerate missing revokeCert or keyChange resource
RFC 8555 §7.1 states:
The server MUST provide "directory" and "newNonce" resources.
But RFC 8555 makes no explicit statement anywhere whether other
resources are, or are not, required (with the exception of
"newAuthz" which is optional).
Therefore it is possible that some ACME server implementations may
omit some resources; in particular those that are not an essential
part of the "order" workflow. Indeed, I am working with one such
server implementation, which does not at this time implement
"keyChange". mod_md refuses to interact with this server because it
is checking that a certain set of resources are defined in the
directory object - despite some of those resources not currently
being used.
Update the check to require only "newNonce", "newAccount" and
"newOrder". Omit from the check and therefore tolerate the absense
of resources which are not always required: "revokeCert" and
"keyChange".
If mod_md implements revocation and/or key rollover in the future,
the availability of those features should be predicated on the
server's advertised capabilities.
38ff597f3c
Submitted by: Fraser Tweedale <ftweedal redhat.com>
Github: closes#122
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1887148 13f79535-47bb-0310-9956-ffa450edef68
These function are always available, even when no module providing
SSL is loaded. They provide their own "shadowing" implementation for
the optional functions of similar name that mod_ssl and impersonators
of mod_ssl provide.
This enables loading of several SSL providing modules when all but
one of them registers itself into the new hooks. Two old-style SSL
modules will not work, as they replace the others optional functions
with their own.
Modules using the old-style optional functions will continue to work
as core supplies its own versions of those.
The following has been added so far:
- ap_ssl_conn_is_ssl() to query if a connection is using SSL.
- ap_ssl_var_lookup() to query SSL related variables for a
server/connection/request.
- Hooks for 'ssl_conn_is_ssl' and 'ssl_var_lookup' where modules
providing SSL can install their own value supplying functions.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1886840 13f79535-47bb-0310-9956-ffa450edef68
- logio: improvements to reporting of sent bytes for http2 responses
- directive H2OutputBuffering, controls if any output should be sent immediately.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1886792 13f79535-47bb-0310-9956-ffa450edef68
Prevent health checks from running for a worker until the last one is fully
finished, to avoid making things worse (memory growth, #connections, ..).
This is done by zeroing worker->s->updated before scheduling the worker in the
threadpool, and resetting the time when it's finished. The scheduler then does
nothing if worker->s->updated is zero.
Also, to save some apr_time_now() calls when !HC_USE_THREADS, *baton->now is
updated in the callback and reused by the scheduler.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1885691 13f79535-47bb-0310-9956-ffa450edef68
Let mod_proxy_http's canon and scheme handlers accept "ws[s]:" schemes so that
mod_proxy_wstunnel can decline requests when mod_proxy_http is loaded.
* modules/proxy/{mod_proxy.h,proxy_util.c} (ap_proxy_worker_can_upgrade):
Add a "dflt" argument to ap_proxy_worker_can_upgrade() which, if not NULL,
is matched when no worker upgrade= parameter is configured. This allows to
handle the default "Upgrade: websocket" case for "ws[s]:" schemes.
* modules/proxy/mod_proxy_http.c (proxy_http_canon, proxy_http_handler):
Add and use the new get_url_scheme() helper to parse URL schemes handled by
mod_proxy_http and use it in canon and scheme handlers. This helper now
accepts ws[s] schemes.
* modules/proxy/mod_proxy_wstunnel.c (proxy_wstunnel_post_config):
New post_config hook to detect whether mod_proxy_http is loaded and set
global fallback_to_mod_proxy_http flag in this case.
* modules/proxy/mod_proxy_wstunnel.c (proxy_wstunnel_check_trans,
proxy_wstunnel_canon,
proxy_wstunnel_handler):
These hooks now early return DECLINED if fallback_to_mod_proxy_http is set.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1885239 13f79535-47bb-0310-9956-ffa450edef68
the same was as non-leaf certs are in SSLCertificateFile - use them to
build the trusted cert chain for the end-entity (client) cert.
* modules/ssl/ssl_engine_init.c (ssl_init_proxy_certs):
For any non-leaf certificate present in the configured, trust as
if used in SSLProxyMachineCertificateChainFile.
Github: closes#151
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1884552 13f79535-47bb-0310-9956-ffa450edef68
mimetypes like:
application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
This mimetypes contains 'xml', but is unfortunately not an xml file.
xml2enc processes these files (in particular, when mod_proxy_html is
used), typically resulting in them being corrupted as it seems to
attempt to perform a ISO-8859-1 to UTF-8 conversion on them.
* modules/filters/mod_xml2enc.c (xml2enc_ffunc): Restrict test for XML
types to matching "+xml".
Submitted by: Joseph Heenan <joseph.heenan fintechlabs.io>
PR: 64339
Github: closes#150
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1884505 13f79535-47bb-0310-9956-ffa450edef68
When proxy-sendcl is set, spool the request body to memory/disk so that a
Content-Length can be computed and provided to the backend.
If not set, still try to prefetch the body in non blocking mode, which allows
to handle small bodies (< 16K) the same way by default.
PR 57087.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1884068 13f79535-47bb-0310-9956-ffa450edef68
While httpd is supposed to do lingering close for incoming data, it has no
control anyway over outgoing/pending data once they are handled by the
system.
So don't reset the connection after lingering close times out, otherwise the
system won't do its own lingering close to flush un-acked data.
The connection reset was introduced by r1802875 and backported to 2.4.28.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1883097 13f79535-47bb-0310-9956-ffa450edef68
Before r1819855 (backported to 2.4.30), mpm_event killed keepalive connections
only when workers were exhausted, while this commit set workers_were_busy for
connections_above_limit().
Restore prior to r1819855 behaviour, and since ap_queue_info_num_idlers() is
now part of connections_above_limit(), let's update workers_were_busy there
only when necessary.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1883096 13f79535-47bb-0310-9956-ffa450edef68
to configure the Basic auth credentials to send to the remote proxy.
(Note that credentials are always sent w/o waiting for a challenge as
with proxy-chain-auth, and only Basic is supported - both of which are
not exactly ideal - but better than nothing.)
* modules/proxy/mod_proxy.h (struct proxy_remote): Add creds field.
* modules/proxy/mod_proxy.c (proxy_handler): Pass forward proxy
credentials via r->notes.
(add_proxy): Take credentials and base64-encode into ->creds field if
passed.
(add_proxy_noregex, add_proxy_regex): Take optional creds argument.
* modules/proxy/proxy_util.c (ap_proxy_determine_connection):
Use proxy credentials from r->notes if available.
(ap_proxy_create_hdrbrgd): Set Proxy-Authorization header from
credentials in r->notes if present.
PR: 37355
Github: closes#135
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1881790 13f79535-47bb-0310-9956-ffa450edef68
different modes in dav_fs_open_stream(), indicate failure because of
different file open modes. Also add the filepath in the log messages.
Github: closes#138
PR: 64413
Submitted by: Bingyu Shen <ahshenbingyu gmail.com>
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1881736 13f79535-47bb-0310-9956-ffa450edef68
