*) core/mod_http: use REQUEST meta buckets and a new HTTP/1.x specific
input filter to separate the handling for HTTP requests from the
handling of HTTP/1.x request parsing and checks.
A new HTTP1_REQUEST_IN filter installs itself on http/1.1 connections
before a request is being read. It generates either a REQUEST meta
bucket on success or an ERROR bucket with the proposed response status.
The core connection processing, relying on ap_read_request(), now expects
a REQUEST or ERROR bucket from the input filters and is agnostic to
specific HTTP versions and how they bring requests into the server.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1899799 13f79535-47bb-0310-9956-ffa450edef68
filter to send responses through the output filter chain.
Specifically: the HTTP_HEADER output filter and ap_send_interim_response()
create a RESPONSE bucket and no longer are concerned with HTTP/1.x
serialization.
A new HTTP1_RESPONSE_OUT transcode filter writes the proper HTTP/1.x
bytes when dealing with a RESPONSE bucket. That filter installs itself
on the pre_read_request hook when the connection has protocol 'http/1.1'.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1899648 13f79535-47bb-0310-9956-ffa450edef68
create_secondary_connection and ap_create_secondary_connection()
to setup connections related to a "master" one, as used in
the HTTP/2 protocol implementation.
*) mod_http2: using the new API calls to get rid of knowledge
about how the core handles conn_rec specifics.
Improvements in pollset stream handling to use less sets.
Using atomic read/writes instead of volatiles now.
Keeping a reserve of "transit" pools and bucket_allocs for
use on secondary connections to avoid repeated setup/teardowns.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1899032 13f79535-47bb-0310-9956-ffa450edef68
LimitXMLRequestBody can not exceed the size needed to ap_escape_html2() the
body without failing to allocate memory, so enforce this at load time based
on APR_SIZE_MAX, and make sure that ap_escape_html2() is within the bounds.
Document the limits for LimitXMLRequestBody in our docs.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1898686 13f79535-47bb-0310-9956-ffa450edef68
If ap_discard_request_body() sets AP_CONN_CLOSE by itself it simplifies and
allows to consolidate end_output_stream() and error_output_stream().
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1898683 13f79535-47bb-0310-9956-ffa450edef68
Since mod_rewrite works on r->filename and mod_proxy's mapping=servlet|decoded
sets its "proxy:" URL there at pre_translate_name stage (i.e. before
mod_rewrite's translate_name hook), users have to match the full proxy URL in
their RewriteRules to handle proxy mappings, which is not very friendly nor
consistent with how proxy non-mapping requests have to be matched.
Let's use r->filename = r->uri in hook_uri2file() for pre_trans'ed reverse
proxy requests, and restore r->filename to its original value if the request
was finally DECLINED (like in hook_fixup).
But if a proxy mapping gets rewritten to a non-proxy request, clear any
proxy specific r->proxyreq or r->handler so that processing continues
accordingly.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1898509 13f79535-47bb-0310-9956-ffa450edef68
backend socket) instead of the minimum as backend timeouts can be
configured more selectively (per worker if needed) as front end timeouts
and typically the backend timeouts reflect the application requirements
better.
PR: 65886
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1898127 13f79535-47bb-0310-9956-ffa450edef68
connection close as per RFC7230 6.3.1. We must check whedther the
connection was previously kept alive, and not whether the current
closed request is keepalive.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1897912 13f79535-47bb-0310-9956-ffa450edef68
as to not trigger denial of service protection in the network. Report
levels of concurrency achieved in cases where the test completes before
full concurrency is achieved.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1897866 13f79535-47bb-0310-9956-ffa450edef68
md-status handler (if configure) did sometimes not carry the correct
message when certificates needed renew.
[Stefan Eissing]
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1897819 13f79535-47bb-0310-9956-ffa450edef68
to stabilize CI tests again. Previous revision of trunk has been copied
to branches/trunk-ssl-handshake-unblocking to make those into a PR where
changes can be discussed and tested separately.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1897760 13f79535-47bb-0310-9956-ffa450edef68
Previously the correct event was polled for, but the response to the poll
would call write instead of read, and read instead of write. PR 55952
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1897458 13f79535-47bb-0310-9956-ffa450edef68
If the SSL handshake is initiated by ssl_hook_process_connection() in
AP_MODE_INIT mode, we still want to adapt the socket timeout according
to the time left for the handshake.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1897422 13f79535-47bb-0310-9956-ffa450edef68
When the listener starts accepting more connections than the number of workers
already started (due to scheduling), the listening sockets gets disabled (per
AH03269) but nothing was re-enabling them before the end of the connections,
despite the creation of more idle/available workers in the meantime.
In the wost case there is no idle worker when the listener accepts the first
connection thus nothing to wake up the listener blocked in poll() with no
socket, hence a deadlock.
Fix this by waking up the listener when a worker becomes idle and this unblocks
connections_above_limit(). This is also worthwhile when all the workers are
started (fully initialized runtime) since the number of idle workers is a
condition for connections_above_limit() anyway so the sooner the listeners are
re-enabled the better (the other condition is the number of connections which
is unblocked appropriately by decrement_connection_count() already).
Also when a child exists with ps->quiescing == 1 and it's caught by
server_main_loop() before perform_idle_server_maintenance(), active_daemons was
not decrement as needed (including accross restarts), leading to an invalid
active_daemons accounting.
* server/mpm/event/event.c(should_enable_listensocks):
New helper that returns whether listenning sockets can be poll()ed again.
* server/mpm/event/event.c(decrement_connection_count, listener_thread):
Use should_enable_listensocks() where previously open-coded.
* server/mpm/event/event.c(worker_thread):
Wake up the listener when is_idle => 1 and should_enable_listensocks().
Have a single point of exit when workers_may_exit to make sure that the
wake always occurs (even when exiting).
* server/mpm/event/event.c(server_main_loop):
Decrement active_daemons not only when !ps->quiescing but also when
ps->quiescing == 1, i.e. all the cases not handled by
perform_idle_server_maintenance() already.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1896505 13f79535-47bb-0310-9956-ffa450edef68
have an http(s) scheme, and that the ones to be forward proxied have a
hostname, per HTTP specifications.
The early checks avoid failing the request later on and thus save cycles
for those invalid cases.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1895921 13f79535-47bb-0310-9956-ffa450edef68
loop when clients close connections prematurely.
Enhanced the scoreboard status updates on h2 connections for
mod_status. 'server-status' now gives a better idea what the
connection is working on.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1895614 13f79535-47bb-0310-9956-ffa450edef68
Some connect/wstunnel protocols might want half-close forwarding while some
might not, let's provide an r->subprocess_env opt-out.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1895304 13f79535-47bb-0310-9956-ffa450edef68
now also be configured to be read from a separate JSON
file. This allows to keep server configuration permissions
world readable without exposing secrets.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1895285 13f79535-47bb-0310-9956-ffa450edef68
- Added support for ACME External Account Binding (EAB).
Use the new directive `MDExternalAccountBinding` to provide the
server with the value for key identifier and hmac as provided by
your CA.
While working on some servers, EAB handling is not uniform
across CAs. First tests with a Sectigo Certificate Manager in
demo mode are successful. But ZeroSSL, for example, seems to
regard EAB values as a one-time-use-only thing, which makes them
fail if you create a seconde account or retry the creation of the
first account with the same EAB.
- The directive 'MDCertificateAuthority' now checks if its parameter
is a http/https url or one of a set of known names. Those are
'LetsEncrypt', 'LetsEncrypt-Test', 'Buypass' and 'Buypass-Test'
for now and they are not case-sensitive.
The default of LetsEncrypt is unchanged.
- `MDContactEmail` can now be specified inside a `<MDomain dnsname>`
section.
- Treating 401 HTTP status codes for orders like 403, since some ACME
servers seem to prefer that for accessing oders from other accounts.
- When retrieving certificate chains, try to read the repsonse even
if the HTTP Content-Type is unrecognized.
- Fixed a bug that reset the error counter of a certificate renewal
and prevented the increasing delays in further attempts.
- Fixed the renewal process giving up every time on an already existing
order with some invalid domains. Now, if such are seen in a previous
order, a new order is created for a clean start over again.
See <https://github.com/icing/mod_md/issues/268>
- Fixed a mixup in md-status handler when static certificate files
and renewal was configured at the same time.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1894610 13f79535-47bb-0310-9956-ffa450edef68
It seems that mod_proxy_connect has never applied any timeout in its tunneling
loop. Address this by setting a default timeout in ap_proxy_tunnel_create()
since mod_proxy_connect does not overwrite tunnel->timeout (while proxy_http
and proxy_wstunnel do).
This default timeout is set to the smallest of the backend side or the client
side timeout.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1894290 13f79535-47bb-0310-9956-ffa450edef68
