- removed no longer needed (char*) casts when looking
up ssl variables.
- move 'goto cleanup;' on separate source line
- fixed check for wrong optional function in ap_run_ssl_var_lookup
- remove ap_bytes_t again from httpd.h and passes now ocsp
identifier as separate const char* and apr_size_t. This
follows more how such data is passed in the rest of the
server.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1889009 13f79535-47bb-0310-9956-ffa450edef68
* leaving mod_nw_ssl and mod_ssl itself untouched
* removing mod_ssl.h includes where no longer necessary
* some modules might skip post_config hooks, but those were left in, even when empty now.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1887364 13f79535-47bb-0310-9956-ffa450edef68
Consistently use pconf for ap_proxy_define_{worker,balancer}() and pchild for
ap_proxu_initialize_{worker,balancer}() in mod_proxy [child_]init code.
pchild is needed in _initialize() for mutexes/shms' child_init and cleanup,
and to avoid a crash on shutdown (i.e. ap_terminate) in ONE_PROCESS mode,
where worker->cp->pool is destroyed twice, let's register conn_pool_cleanup()
as a pre_cleanup of pchild.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1883744 13f79535-47bb-0310-9956-ffa450edef68
to configure the Basic auth credentials to send to the remote proxy.
(Note that credentials are always sent w/o waiting for a challenge as
with proxy-chain-auth, and only Basic is supported - both of which are
not exactly ideal - but better than nothing.)
* modules/proxy/mod_proxy.h (struct proxy_remote): Add creds field.
* modules/proxy/mod_proxy.c (proxy_handler): Pass forward proxy
credentials via r->notes.
(add_proxy): Take credentials and base64-encode into ->creds field if
passed.
(add_proxy_noregex, add_proxy_regex): Take optional creds argument.
* modules/proxy/proxy_util.c (ap_proxy_determine_connection):
Use proxy credentials from r->notes if available.
(ap_proxy_create_hdrbrgd): Set Proxy-Authorization header from
credentials in r->notes if present.
PR: 37355
Github: closes#135
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1881790 13f79535-47bb-0310-9956-ffa450edef68
When supported by the MPM (i.e. "event"), provide async callbacks and let
them be scheduled by ap_mpm_register_poll_callback_timeout(), while the
handler returns SUSPENDED.
The new ProxyAsyncDelay directive (if positive) enables async handling,
while ProxyAsyncIdleTimeout determines the timeout applied on both ends
while tunneling.
Github: closes#126
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1879419 13f79535-47bb-0310-9956-ffa450edef68
It is not a failure in current 2.4.x, so to ease backport and to avoid compat
breakage simply warn about the second directive being ignored.
This commit can be reverted in trunk if we want next versions to fail in this
case.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1879361 13f79535-47bb-0310-9956-ffa450edef68
If a ProxyPass mapping=servlet matches (in pre_trans hook), update r->uri with
the servlet normalization so that later <Location> or any dir context match
does not have to handle potential path parameters.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1879235 13f79535-47bb-0310-9956-ffa450edef68
Instead of having a separate ProxyUseOriginalURI directive to control pre_ vs
normal translate stage, let's handle this at each ProxyPass level, with the
mapping= parameter.
At pre_translate stage mod_proxy will handle the "encoded" mapping only, and
at translate stage only the others (unless a worker was already elected at
the first stage).
Note that since mapping=servlet needs to happen encoded too, it's defined like:
#define PROXYPASS_MAP_ENCODED 0x08
#define PROXYPASS_MAP_SERVLET 0x18 /* + MAP_ENCODED */
so uch that proxy_trans does the right thing.
Follow up to r1879080: replace ProxyUseOriginalURI by mapping=encoded.
Instead of having a separate ProxyUseOriginalURI directive to control pre_ vs
normal translate stage, let's handle this at each ProxyPass level, with the
mapping= parameter.
At pre_translate stage mod_proxy will handle the "encoded" mapping only, and
at translate stage only the others (unless a worker was already elected at
the first stage).
Note that since mapping=servlet needs to happen encoded too, it's defined like:
#define PROXYPASS_MAP_ENCODED 0x08
#define PROXYPASS_MAP_SERVLET 0x18 /* + MAP_ENCODED */
so that proxy_trans does the right thing.
This allows for simpler and consistent mapping configuration, where the
translate stage depends only on the mapping= parameter.
To implement a fast path (do nothing) when no encoded mapping is configured
at pre_trans stage, or all mappings are encoded at translate stage, two bits
are added to proxy_server_conf (map_encoded_one:1, map_encoded_all:1) and
updated at load time. Thus MINOR is bumped too.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1879145 13f79535-47bb-0310-9956-ffa450edef68
Don't decode r->uri when pre_trans returns DONE instead of OK, which allows to
preserve previous behaviour where decoding was avoided for "ProxyRequests on"
or post_read_request RewriteRule [P] only, but not ProxyPass'ed requests.
This also preserves decoded location walk in most/same cases.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1879137 13f79535-47bb-0310-9956-ffa450edef68
Provide alias_match_servlet(), the servlet counterpart of alias_match(),
which maps the request URI-path to the ProxyPass alias ignoring path
parameters, while still forwarding them (above the alias).
This is needed to proxy servlet URIs for application handled by Tomcat,
which can then make use of the path/segments parameters.
Github: closes#128
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1879080 13f79535-47bb-0310-9956-ffa450edef68
It helps simplifying a lot of duplicated code based on apr_strtoff(), while
also rejecting leading plus/minus signs which are dissalowed in Content-Length
and (Content-)Range headers.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1877954 13f79535-47bb-0310-9956-ffa450edef68
The list can be rather long, speed up runtime by sorting the status codes in
error_override_codes and using binary search from ap_proxy_should_override().
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1877728 13f79535-47bb-0310-9956-ffa450edef68
If the request Upgrade header matches the worker upgrade= parameter and
the backend switches the protocol, do the tunneling in mod_proxy_http.
This allows to keep the protocol to HTTP until the backend really
switches the protocol, and apply usual output filters.
When configured to forward Upgrade mechanism, we want the backend to be
able to announce its Upgrade protocol to the client (e.g. with 426
Upgrade Required response) and thus forward back the Upgrade header that
matches the one(s) configured in the worker upgrade= parameter.
modules/proxy/mod_proxy.h:
modules/proxy/proxy_util.c:
ap_proxy_worker_can_upgrade(): added helper to determine whether a
proxy worker is configured to forward an Upgrade protocol.
include/ap_mmn.h:
Bump MMN minor for ap_proxy_worker_can_upgrade().
modules/proxy/mod_proxy.c:
set_worker_param(): handle worker parameter upgrade=ANY as upgrade=*
(should the "any" protocol scheme be something some day..).
modules/proxy/mod_proxy_wstunnel.c:
proxy_wstunnel_handler(): use ap_proxy_worker_can_upgrade() to match
the Upgrade header. Axe handling of upgrade=NONE, it makes no sense to
Upgrade a connection if the client did not ask for it, nor to configure
mod_proxy_wstunnel to use a worker with upgrade=NONE by the way.
modules/proxy/mod_proxy_http.c:
proxy_http_req_t: add fields force10 (force HTTP/1.0) and upgrade (value
of the Upgrade header sent by the client if it matches the configuration,
NULL otherwise).
proxy_http_handler(): use ap_proxy_worker_can_upgrade() to determine
whether the request is electable for end to end protocol upgrading and set
req->upgrade accordingly.
terminate_headers(): handle Connection and Upgrade headers to send to the
backend, according to req->force10 and req->upgrade set before.
ap_proxy_http_prefetch(): use req->force10 and terminate_headers().
send_continue_body(): added helper to send the body retained for end to
end 100-continue handling.
ap_proxy_http_process_response(): use ap_proxy_worker_can_upgrade() to
match the response Upgrade header and forward it back if it matches the
configured one(s). That is for 101 Switching Protocol obviously but also
any other status code which is not overidden, at the backend wish. If the
protocol is switching, create a proxy tunnel and run it, using the minimal
timeout from the client or backend connection.
Github: closes#125
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1877646 13f79535-47bb-0310-9956-ffa450edef68
Support specifying the http status codes to be considered by ProxyErrorOverride
Submitted By: Martin Drößler <mail martindroessler.de>
Committed By: covener
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1876404 13f79535-47bb-0310-9956-ffa450edef68
This allows proxy modules to decline request handling at early stage.
Then mod_proxy_wstunnel can implement that hook to verify that an Upgrade
is requested, and otherwise hand over to mod_proxy_http.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1869399 13f79535-47bb-0310-9956-ffa450edef68
Remove some useless spaces which have never been backported in 2.4.x.
This was part of r1724879 and was backported in r1744951
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1863453 13f79535-47bb-0310-9956-ffa450edef68
used as drop-in replacements for unusable workers in the same load balancer set. This differs
from hot standbys which are only used when all workers in a set are unusable. PR 61140.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1828890 13f79535-47bb-0310-9956-ffa450edef68
incomplete and not backportable, fix it by introducing NOT_IN_DIR_CONTEXT and
restoring NOT_IN_DIR_LOC_FILE to its previous value.
Per ap_check_cmd_context(), NOT_IN_DIR_LOC_FILE actually/really means "not in
any directory context", while the definition itself does not include all the
existing directory contexts (e.g. <Limit>, or <Proxy> before r1740928).
This is a bit of a misnomer, at least, so instead of (ab)using it by adding the
missing contexts (in an incompatible way), let's define NOT_IN_DIR_CONTEXT to
really exclude all directory context (i.e. NOT_IN_DIR_LOC_FILE + NOT_IN_LIMIT +
NOT_IN_PROXY) and use it wherever NOT_IN_DIR_LOC_FILE was used.
This is by itself a major MMN bump (modules not compiled with this commit and
having directives checked against NOT_IN_DIR_LOC_FILE won't be caught the same
way by NOT_IN_DIR_CONTEXT in the new ap_check_cmd_context() code), but with the
below change, 2.4.x should work as before:
- if ((forbidden & NOT_IN_DIR_CONTEXT) == NOT_IN_DIR_CONTEXT) {
+ if ((forbidden & NOT_IN_DIR_LOC_FILE) == NOT_IN_DIR_LOC_FILE) {
if (cmd->path != NULL) {
return apr_pstrcat(cmd->pool, cmd->cmd->name, gt,
- " cannot occur within directory context", NULL);
+ " cannot occur within <Directory/Location/Files/Proxy> "
+ "section", NULL);
}
...
}
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1812193 13f79535-47bb-0310-9956-ffa450edef68
Both of these checks are problematic without further
work.
status: even a .htaccess with no SetHandler blocks the handler.
proxy: RewriteRule ... ... [P] in htaccess is blocked.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1796352 13f79535-47bb-0310-9956-ffa450edef68
committing for discussion purposes to trunk. I have reopened PR60458 because
I am tempted to revert the entire thing, it was not really a release-to-release
regression because the reporter arbitrarily used a new 2.4 syntax and the semantics
were unclear.
It is useful to have global exceptions apply to per-location proxypass, but it totally
breaks the "fast" lookup part of it.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1780909 13f79535-47bb-0310-9956-ffa450edef68
*) mod_proxy: Honor a server scoped ProxyPass exception when ProxyPass is
configured in <Location>, like in 2.2. PR 60458.
[Eric Covener]
reverted in r1781324
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1773397 13f79535-47bb-0310-9956-ffa450edef68
To help out users when debugging ProxyPass and ProxyPassMatch, log all
match attempts (at trace2), as well as matches that are either
successful or explicitly disabled (at trace1).
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1762517 13f79535-47bb-0310-9956-ffa450edef68
