- Enabling ED25519 support and certificate transparency information when
building with libressl v3.5.0 and newer. Thanks to Giovanni Bechis.
- MDChallengeDns01 can now be configured for individual domains.
Thanks to Jérôme Billiras (@bilhackmac) for the initial PR.
- Fixed a bug found by Jérôme Billiras (@bilhackmac) that caused the challenge
teardown not being invoked as it should.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1908080 13f79535-47bb-0310-9956-ffa450edef68
amount of response body bytes put into a single HTTP/2 DATA frame.
Setting this to 0 places no limit (but the max size allowed by the
protocol is observed).
The module, by default, tries to use the maximum size possible, which is
somewhat around 16KB. This sets the maximum. When less response data is
available, smaller frames will be sent.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1907697 13f79535-47bb-0310-9956-ffa450edef68
connections of any age to be reused. Up to now, a negative value was handled
as an error when parsing the configuration file. PR 66421.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1907024 13f79535-47bb-0310-9956-ffa450edef68
reported in access logs and error documents. The processing of the
reset was correct, only unneccesary reporting was caused.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1906775 13f79535-47bb-0310-9956-ffa450edef68
to responses from the backend, as other proxy modules do. Fixes PR 66391.
Thanks to Jérôme Billiras for providing the patch.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1906051 13f79535-47bb-0310-9956-ffa450edef68
leading/trailing whitespace (space +htab) before being processed
or send in a response. This is compatible behaviour to HTTP/1.1
parsers that strip incoming headers of such characters.
[Stefan Eissing]
- removed intermittent "H2HeaderStrictness" directive again.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1904777 13f79535-47bb-0310-9956-ffa450edef68
mod_dav-fs scales badly when a few clients run PROPFIND requests to discover
directory content. Each PROPFIND involves lockdiscovery, which in turn waits
for a locked access to the file containing the lock database. Performances
quickly drop because of lock contention on this file.
Add a DAVLockDiscovery configuration directive that allows lockdiscovery to be
disabled. Its argument is an Apache expression so that flexible configuration
are possible (per-request).
When lock discovery is disabled, an empty lockdiscovery property is returned on
POPRFIND methods, just like if no lock was set on the object. That should cause
no regression, since a client cannot rely on lockdiscovery to decide when a
file should be accessed, the LOCK methood must be used.
If DAVLockDiscovery is not specified, the behavior is unchanged.
PR 66313.
Submitted by: Emmanuel Dreyfus <manu netbsd.org>
Reviewed by: ylavic
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1904638 13f79535-47bb-0310-9956-ffa450edef68
some dollar substitution (backreference) happens in the hostname
or port part of the URL.
Address or connection reuse can't work when the autority part of the URL is
dynamic (single origin server[:port] handled/assumed in the reslist). Detect
such cases and unset worker->s->is_address_reusable to disable reuse regardless
of enablereuse/disablereuse.
* modules/proxy/proxy_util.c(ap_proxy_define_worker_ex):
Lookup for $n substitution in the hostname[:port] when parsing the URL and
if present, set worker->->is_address_reusable=0 / worker->s->disablereuse=1.
* modules/proxy/proxy_util.c(ap_proxy_initialize_worker):
Don't overwrite worker->s->is_address_reusable from enablereuse/disablereuse
parameters, and set both consistently.
* docs/manual/mod/mod_proxy.xml:
Add ProxyPassMatch compatibility note about key=value parameters handled with
$n substitutions since 2.4.47.
Document the specificities of enablereuse/disablereuse w.r.t. $n subsitutions
in the different part of the URL.
Axe the note about unparsable URLs when the $n substitution happens in the
port, this has been addressed in 2.4.47 too (and works now).
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1904513 13f79535-47bb-0310-9956-ffa450edef68
level of header checks as defined in the HTTP/2 RFCs. Default is 7540.
9113 activates the checks for forbidden leading/trailing whitespace in
field values (available from nghttp2 v1.50.0 on).
- source sync with github version
- fix for keepalive idle wait in mpm_worker setup
- ensuring EOS when secondary connection has been handled
- fixed race in late input EOS arrival when stream was
already scheduled for execution.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1904269 13f79535-47bb-0310-9956-ffa450edef68
*) mod_md: a new directive `MDStoreLocks` can be used on cluster
setups with a shared file system for `MDStoreDir` to order
activation of renewed certificates when several cluster nodes are
restarted at the same time. Store locks are not enabled by default.
Restored curl_easy cleanup behaviour from v2.4.14 and refactored
the use of curl_multi for OCSP requests to work with that.
Fixes <https://github.com/icing/mod_md/issues/293>.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1903677 13f79535-47bb-0310-9956-ffa450edef68
error was logged when "SSLProxyEngine" was only configured in the
location/proxy section and not the overall server. The connection
continued to work, the error log was in error. Fixed PR66190.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1903167 13f79535-47bb-0310-9956-ffa450edef68
* modules/ssl/ssl_private.h():
#define modssl_fips_is_enabled() and modssl_fips_enable() to wrap the
native OpenSSL FIPS functions available on OPENSSL_VERSION_NUMBER.
* modules/ssl/ssl_engine_init.c(ssl_init_Module, modssl_fips_cleanup):
Use the new wrappers instead of the OPENSSL_VERSION_NUMBER < 3.0 functions.
Submitted by: Petr Sumbera <petr.sumbera oracle.com>, ylavic
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1901470 13f79535-47bb-0310-9956-ffa450edef68
Stop returning 417 when mod_proxy has to forward an HTTP/1.1 request with both
"Expect: 100-continue" and "force-proxy-request-1.0" set, mod_proxy can instead
handle the 100-continue by itself before forwarding the request, like in the
"Proxy100Continue Off" case.
Note that this does not change the behaviour of httpd receiving an HTTP/1.0
request with an Expect header, ap_check_request_header() will still correctly
return 417 in this case.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1901420 13f79535-47bb-0310-9956-ffa450edef68
*) core: the conf/mime.types has been updated in conformance with RFC 9239:
- .js moved from 'application/javascript' to 'text/javascript'
- .mjs was added as 'text/javascript'
[Mathias Bynens <@mathiasbynens> via PR 318]
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1901273 13f79535-47bb-0310-9956-ffa450edef68
an ACME CA. This gives a failover for renewals when several consecutive attempts
to get a certificate failed.
A new directive was added: `MDRetryDelay` sets the delay of retries.
A new directive was added: `MDRetryFailover` sets the number of errored
attempts before an alternate CA is selected for certificate renewals.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1900852 13f79535-47bb-0310-9956-ffa450edef68
This allows for multiple CPUs to handle the load, the number of requests and
concurrency level asked are distributed over the configured number of workers,
allowing for as much parallelism.
On unixes (only for now), -W0 will use all the CPUs available on the system.
To avoid synchronization during runtime, the stats and requests times are
gathered per worker and consolidated at the end of the run before being
printed.
Connection closes, keepalives and errors are now handled in a single place,
namely cleanup_connection(), which takes care of the good/bad state of each
request based on the response fully received or not.
When multiple workers are running, SIGINT is handled by the main thread only
and masked in workers, workers are asked to stop and woken up if waiting in
poll().
A single worker is started first to determine the connectivity with the peer,
if that fails (10 tries) ab will stop early still without starting the other
workers, otherwise the first worker will signal the main thread to start the
others.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1900362 13f79535-47bb-0310-9956-ffa450edef68
Especially not only status summary counts for certificates and
OCSP stapling but also lists. Auto status format is similar to
what was used for mod_proxy_balancer.
added change desription for code added in r1900313.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1900314 13f79535-47bb-0310-9956-ffa450edef68
local tailscale demon for users of that secure networking.
This gives trusted certificates for tailscale assigned
domain names in the *.ts.net space.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1900313 13f79535-47bb-0310-9956-ffa450edef68
When TLS1_3_VERSION is defined by the SSL library, bump the maximum TLS
protocol to that and use it for "-f ALL" or "-f TLSv1.3".
This mixes proposed patches from BZ 63594 and 64699.
BZ: 63594, 64699
Submitted by: abhilash <abhilash1232 gmail.com>
Submitted by: xiaolongx.jiang intel.com
Submitted & Reviewed by: ylavic
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1900157 13f79535-47bb-0310-9956-ffa450edef68
OSX supports TCP_NOPUSH but does not release the data retained (in TCP stack)
when the option is unset. It seems that unsetting it before the last write
does not help either so just disable the optimization for OSX in the core
output filter to avoid uncontrollable transmission delays.
* server/core_filters.c():
Add the sock_nopush() helper that does nothing on OSX and platforms not
supporting TCP_NOPUSH or TCP_CORK.
* server/core_filters.c(send_brigade_nonblocking):
Use sock_nopush() instead of apr_socket_opt_set() for APR_TCP_NOPUSH option.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1900100 13f79535-47bb-0310-9956-ffa450edef68
Especially not only status summary counts for certificates and
OCSP stapling but also lists. Auto status format is similar to
what was used for mod_proxy_balancer.
[Rainer Jung]
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1900039 13f79535-47bb-0310-9956-ffa450edef68
*) core/mod_http: use REQUEST meta buckets and a new HTTP/1.x specific
input filter to separate the handling for HTTP requests from the
handling of HTTP/1.x request parsing and checks.
A new HTTP1_REQUEST_IN filter installs itself on http/1.1 connections
before a request is being read. It generates either a REQUEST meta
bucket on success or an ERROR bucket with the proposed response status.
The core connection processing, relying on ap_read_request(), now expects
a REQUEST or ERROR bucket from the input filters and is agnostic to
specific HTTP versions and how they bring requests into the server.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1899799 13f79535-47bb-0310-9956-ffa450edef68
filter to send responses through the output filter chain.
Specifically: the HTTP_HEADER output filter and ap_send_interim_response()
create a RESPONSE bucket and no longer are concerned with HTTP/1.x
serialization.
A new HTTP1_RESPONSE_OUT transcode filter writes the proper HTTP/1.x
bytes when dealing with a RESPONSE bucket. That filter installs itself
on the pre_read_request hook when the connection has protocol 'http/1.1'.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1899648 13f79535-47bb-0310-9956-ffa450edef68
