* modules/proxy/mod_proxy.h, modules/proxy/mod_proxy.c:
Declare/implement the hook.
* modules/proxy/proxy_util.c(proxy_transfer):
Run tunnel_forward hooks when called by the tunneling loop.
Simpler input/output brigade cleanup on exit.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1893603 13f79535-47bb-0310-9956-ffa450edef68
It was reported to me (privately) that r1893101 broke existing settings like:
SetHandler "proxy:unix:///path/to/uds.sock|fcgi://localhost/"
RFC 3986 (section 3.2.2) says that:
If the URI scheme defines a default for host, then that default
applies when the host subcomponent is undefined or when the
registered name is empty (zero length). For example, the "file" URI
scheme is defined so that no authority, an empty host, and
"localhost" all mean the end-user's machine, whereas the "http"
scheme considers a missing authority or empty host invalid.
Let's consider that the "unix" scheme is closer to the "file" scheme than
the "http" one, and accept "unix:///path/to/uds.sock" as a valid URI.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1893519 13f79535-47bb-0310-9956-ffa450edef68
fails (!= 0 exit), the renewal process is aborted and an error is
reported for the MDomain. This provides scripts that distribute
information in a cluster to abort early with bothering an ACME
server to validate a dns name that will not work. The common
retry logic will make another attempt in the future, as with
other failures.
Fixed a bug when adding private key specs to an already working
MDomain, see <https://github.com/icing/mod_md/issues/260>.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1893399 13f79535-47bb-0310-9956-ffa450edef68
run into an assertion which terminated (and restarted) the child process where
the task was running. Eventually, all OCSP responses were collected, but not
in the way that things are supposed to work.
See also <https://bz.apache.org/bugzilla/show_bug.cgi?id=65567>.
The bug was possibly triggered when more than one OCSP status needed updating
at the same time. For example for several renewed certificates after a server
reload.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1893359 13f79535-47bb-0310-9956-ffa450edef68
c->outgoing shouldn't be set by mod_ssl, ap_create_connection() allows that
and this commit also replaces all the calls to ap_run_create_connection() in
mod_proxy modules (not in the MPMs which create incoming connections only).
* include/http_connection.h, server/connection.c:
Declare and implement ap_create_connection().
* modules/proxy/proxy_util.c, modules/proxy/mod_proxy_connect.c,
modules/proxy/mod_proxy_ftp.c:
Use ap_create_connection() instead of ap_run_create_connection(), and don't
provide a connection_id a scoreboard handle for outgoing connection.
* server/log.c(do_errorlog_default):
Use c->outgoing instead of c->sbh to determine if it's a "client" or "remote"
connection.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1893184 13f79535-47bb-0310-9956-ffa450edef68
* server/protocol.c(read_request_line):
Set r->method_number to M_INVALID and r->{method,uri,unparsed_uri} to "-"
when read fails, ap_parse_request_line() will never be called.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1893030 13f79535-47bb-0310-9956-ffa450edef68
* server/protocol.c(read_request_line):
Set r->method_number to M_INVALID and r->{method,uri,unparsed_uri} to "-"
when read fails, ap_parse_request_line() will never be called.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1893026 13f79535-47bb-0310-9956-ffa450edef68
If nocanon is set, we should match the unparsed_uri against the interpolated
alias (not the ProxyPass'ed one) when verifying the resulting length. Otherwise
we falsely restore the canonicalized URL in case of mismatch. PR 65549.
Submitted by: Joel Self <joelself gmail.com>
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1893016 13f79535-47bb-0310-9956-ffa450edef68
The number of children spawned can go above active_daemons_limit due to
exponential idle_spawn_rate growth (x 2), enforce the upper limit in
perform_idle_server_maintenance(). PR 63169.
Proposed by: Joel Self <joelself gmail.com>
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1893014 13f79535-47bb-0310-9956-ffa450edef68
The actual r->filename format is "[proxy:]unix:path|url" for UDS, no need to
strstr(,"unix:") since it's at the start of the string.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1892814 13f79535-47bb-0310-9956-ffa450edef68
When the generic "proxy:reverse" worker is selected for an uwsgi scheme, the
worker name is irrelevant so uwscgi_handler() should point to the PATH_INFO
directly from the given URL.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1892805 13f79535-47bb-0310-9956-ffa450edef68
* Certificate/keys pairs are verified as matching before a renewal is accepted
as successful or a staged renewal is replacing the existing certificates.
This avoid potential mess ups in the md store file system to render the active
certificates non-working. [@mkauf]
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1892782 13f79535-47bb-0310-9956-ffa450edef68
PRs 65521 and 65519.
* modules/proxy/proxy_util.c(ap_proxy_tunnel_run):
Avoid an infinite loop by shutting down the connection for write when poll()
returns POLLHUP and read is already down. PR 65521.
* modules/proxy/proxy_util.c(ap_proxy_tunnel_run):
When write completion is finished don't check for ap_filter_input_pending()
before proxy_tunnel_forward() to flush input data, this is a nonblocking read
already which will do the same thing implicitely. ap_filter_input_pending()
is broken in 2.4.x without the whole pending data mechanism (not backported
yet), so let's align here. PR 65519.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1892740 13f79535-47bb-0310-9956-ffa450edef68
stopping a child process. The additional `graceful` parameter allows
registered hooks to free resources early during a graceful shutdown.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1891919 13f79535-47bb-0310-9956-ffa450edef68
- Domain names in `<MDomain ...>` can now appear in quoted form.
- Fixed a failure in ACME challenge selection that aborted further searches
when the tls-alpn-01 method did not seem to be suitable.
- Changed the tls-alpn-01 setup to only become unsuitable when none of the
dns names showed support for a configured 'Protocols ... acme-tls/1'. This
allows use of tls-alpn-01 for dns names that are not mapped to a VirtualHost.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1891683 13f79535-47bb-0310-9956-ffa450edef68
- Added a timeout to h2 worker cleanup to exit latest after 5 seconds of
waiting on idle workers to terminate. This happens after all connections
have been processed. a WARNING is logged in case workers lagged behind.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1891566 13f79535-47bb-0310-9956-ffa450edef68
Clear the workers created in ap_proxy_sync_balancer(), notably ->local_status
for below ap_proxy_initialize_worker() to initialize all the child structures
like ->cp and ->cp->reslist, avoiding a possible crash when the workers are
used at runtime.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1891477 13f79535-47bb-0310-9956-ffa450edef68
- Aborting requests via RST_STREAM no longer affect the available
resources of a connection when the first chunk of the response
body has been sent.
- H2Min/MaxWorkers behave as intended again. The module will initially
create H2MinWorkers threads and add up to H2MaxWorkers when needed. These
additional workers time out when idle after H2MaxWorkerIdleSeconds and
disappear again.
- When the shutdown of a child is detected (e.g. graceful shutdown), the
module will terminate all idle workers above H2MinWorkers right away.
This detection currently only happens when a HTTP/2 connection is active.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1891312 13f79535-47bb-0310-9956-ffa450edef68
We can't truncate ProxyMatch's worker name/url to the first '$' substitution
without possibly colliding with other workers. This also makes the matching
done at runtime by ap_proxy_strcmp_ematch() completely pointless.
To fix this and still address r1878467 (i.e. make http://host:port$1 a "valid"
URL), we need to remove '$' substitutions from the :port part of the URL only
since it's allowed anywhere else by apr_uri_parse().
So let's strip them before apr_uri_parse() and prepend them back in the path
before apr_uri_unparse() to restore the original URL. Non-matchable workers are
not concerned so ap_proxy_define_worker() is made a local helper (w/o the ap_
prefix) which takes "matchable" as argument and can then be called by both
ap_proxy_define_[match_]worker() functions.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1891206 13f79535-47bb-0310-9956-ffa450edef68
connections. If ALPN protocols are provided and sent to the
remote server, the received protocol selected is inspected
and checked for a match. Without match, the peer handshake
fails.
An exception is the proposal of "http/1.1" where it is
accepted if the remote server did not answer ALPN with
a selected protocol. This accomodates for hosts that do
not observe/support ALPN and speak http/1.x be default.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1890693 13f79535-47bb-0310-9956-ffa450edef68
Adding `outgoing` flag to conn_rec, indicating a connection is
initiated by the server to somewhere, in contrast to incoming
connections from clients.
Adding 'ap_ssl_bind_outgoing()` function that marks a connection
as outgoing and is used by mod_proxy instead of the previous
optional function `ssl_engine_set`. This enables other SSL
module to secure proxy connections.
The optional functions `ssl_engine_set`, `ssl_engine_disable` and
`ssl_proxy_enable` are now provided by the core to have backward
compatibility with non-httpd modules that might use them. mod_ssl
itself no longer registers these functions, but keeps them in its
header for backward compatibility.
The core provided optional function wrap any registered function
like it was done for `ssl_is_ssl`.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1890605 13f79535-47bb-0310-9956-ffa450edef68
into mod_log_config itself. These now use the global `ap_ssl_var_lookup()`
functions and work for all running SSL modules.
The dependency from mod_ssl to mod_log_config and its header is removed.
mod_ssl now provides the content of "{errstr}c" as variable "SSL_CLIENT_VERIFY_ERRSTR".
This change should be fully compatible to all deployed configurations.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1890003 13f79535-47bb-0310-9956-ffa450edef68
Daniel reported on user@ that hc connections do not timeout according to
the worker's tumeout= configuration, this fixes it.
While at it, copy the other timeout settings too.
Reported by: dferradal
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1889936 13f79535-47bb-0310-9956-ffa450edef68
allows modules to access and provide OCSP response data without being tied
of each other. The data is exchanged in standard, portable formats (PEM encoded
certificates and DER encoded responses), so that the actual SSL/crypto
implementations used by the modules are independant of each other.
Registration and retrieval happen in the context of a server (server_rec)
which modules may use to decide if they are configured for this or not.
The area of changes:
1. core: defines 2 functions in include/http_ssl.h, so that modules may
register a certificate, together with its issuer certificate for OCSP
response provisioning and ask for current response data (DER bytes) later.
Also, 2 hooks are defined that allow modules to implement this OCSP
provisioning.
2. mod_ssl uses the new functions, in addition to what it did already, to
register its certificates this way. If no one is interested in providing
OCSP, it falls back to its own (if configured) stapling implementation.
3. mod_md registers itself at the core hooks for OCSP provisioning. Depending
on configuration, it will accept registrations of its own certificates only,
all certficates or none.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1888723 13f79535-47bb-0310-9956-ffa450edef68
