It seems that mod_proxy_connect has never applied any timeout in its tunneling
loop. Address this by setting a default timeout in ap_proxy_tunnel_create()
since mod_proxy_connect does not overwrite tunnel->timeout (while proxy_http
and proxy_wstunnel do).
This default timeout is set to the smallest of the backend side or the client
side timeout.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1894290 13f79535-47bb-0310-9956-ffa450edef68
r1770752 added an heuristic to avoid stopping children when the load triggers
MaxSpareThreads but children take some time to shut down until the point where
active_daemons_limit/ServerLimit is reached (scoreboard full) and no child gets
created to handle incoming connections.
However when this happens there is nothing to stop children again when the load
settles down (besides MaxRequestsPerChild, which may be 0) so let's restart to
stop children again if/when idle_thread_count reaches max_workers / 4.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1894285 13f79535-47bb-0310-9956-ffa450edef68
PR 65627.
mod_itk seems to:
ap_set_core_module_config(c->conn_config, NULL)
before calling ap_lingering_close(), causing a crash after r1891721.
Until we have an API to no-op ap_lingering_close(), let's be safe.
* server/connection.c(ap_start_lingering_close):
The socket should not be NULL here, add an assertion.
* server/connection.c(ap_lingering_close):
Set c->aborted if the socket is NULL, and give up.
Submitted by: acmondor <bz.apache.org acmondor.ca>, ylavic
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1894171 13f79535-47bb-0310-9956-ffa450edef68
- Fixed an issue since 1.15.24 that "Server" headers in proxied requests
were overwritten instead of preserved. [PR by @daum3ns]
- Added directove 'H2StreamTimeout' to configure a separate value for HTTP/2
streams, overriding server's 'Timeout' configuration. [rpluem]
- HTTP/2 connections now use pollsets to monitor the status of the
ongoing streams and their main connection when host OS allows this.
- Removed work-arounds for older versions of libnghttp2 and checking
during configure that at least version 1.15.0 is present.
- The HTTP/2 connection state handler, based on an experiment and draft
at the IETF http working group (abandoned for some time), has been removed.
- H2SerializeHeaders no longer has an effect. A warning is logged when it is
set to "on". The switch enabled the internal writing of requests to be parsed
by the internal HTTP/1.1 protocol handler and was introduced to avoid
potential incompatibilities during the introduction of HTTP/2.
- Removed the abort/redo of tasks when mood swings lower the active limit.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1894163 13f79535-47bb-0310-9956-ffa450edef68
To accommodate for configs like:
ProxyPass /uwsgi-pp uwsgi://localhost:8001/
which before r1892805 did not produce a leading double-slash in PATH_INFO.
Submitted by: rpluem
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1894074 13f79535-47bb-0310-9956-ffa450edef68
* modules/proxy/mod_proxy.h, modules/proxy/mod_proxy.c:
Declare/implement the hook.
* modules/proxy/proxy_util.c(proxy_transfer):
Run tunnel_forward hooks when called by the tunneling loop.
Simpler input/output brigade cleanup on exit.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1893603 13f79535-47bb-0310-9956-ffa450edef68
It was reported to me (privately) that r1893101 broke existing settings like:
SetHandler "proxy:unix:///path/to/uds.sock|fcgi://localhost/"
RFC 3986 (section 3.2.2) says that:
If the URI scheme defines a default for host, then that default
applies when the host subcomponent is undefined or when the
registered name is empty (zero length). For example, the "file" URI
scheme is defined so that no authority, an empty host, and
"localhost" all mean the end-user's machine, whereas the "http"
scheme considers a missing authority or empty host invalid.
Let's consider that the "unix" scheme is closer to the "file" scheme than
the "http" one, and accept "unix:///path/to/uds.sock" as a valid URI.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1893519 13f79535-47bb-0310-9956-ffa450edef68
fails (!= 0 exit), the renewal process is aborted and an error is
reported for the MDomain. This provides scripts that distribute
information in a cluster to abort early with bothering an ACME
server to validate a dns name that will not work. The common
retry logic will make another attempt in the future, as with
other failures.
Fixed a bug when adding private key specs to an already working
MDomain, see <https://github.com/icing/mod_md/issues/260>.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1893399 13f79535-47bb-0310-9956-ffa450edef68
run into an assertion which terminated (and restarted) the child process where
the task was running. Eventually, all OCSP responses were collected, but not
in the way that things are supposed to work.
See also <https://bz.apache.org/bugzilla/show_bug.cgi?id=65567>.
The bug was possibly triggered when more than one OCSP status needed updating
at the same time. For example for several renewed certificates after a server
reload.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1893359 13f79535-47bb-0310-9956-ffa450edef68
c->outgoing shouldn't be set by mod_ssl, ap_create_connection() allows that
and this commit also replaces all the calls to ap_run_create_connection() in
mod_proxy modules (not in the MPMs which create incoming connections only).
* include/http_connection.h, server/connection.c:
Declare and implement ap_create_connection().
* modules/proxy/proxy_util.c, modules/proxy/mod_proxy_connect.c,
modules/proxy/mod_proxy_ftp.c:
Use ap_create_connection() instead of ap_run_create_connection(), and don't
provide a connection_id a scoreboard handle for outgoing connection.
* server/log.c(do_errorlog_default):
Use c->outgoing instead of c->sbh to determine if it's a "client" or "remote"
connection.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1893184 13f79535-47bb-0310-9956-ffa450edef68
* server/protocol.c(read_request_line):
Set r->method_number to M_INVALID and r->{method,uri,unparsed_uri} to "-"
when read fails, ap_parse_request_line() will never be called.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1893030 13f79535-47bb-0310-9956-ffa450edef68
* server/protocol.c(read_request_line):
Set r->method_number to M_INVALID and r->{method,uri,unparsed_uri} to "-"
when read fails, ap_parse_request_line() will never be called.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1893026 13f79535-47bb-0310-9956-ffa450edef68
If nocanon is set, we should match the unparsed_uri against the interpolated
alias (not the ProxyPass'ed one) when verifying the resulting length. Otherwise
we falsely restore the canonicalized URL in case of mismatch. PR 65549.
Submitted by: Joel Self <joelself gmail.com>
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1893016 13f79535-47bb-0310-9956-ffa450edef68
The number of children spawned can go above active_daemons_limit due to
exponential idle_spawn_rate growth (x 2), enforce the upper limit in
perform_idle_server_maintenance(). PR 63169.
Proposed by: Joel Self <joelself gmail.com>
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1893014 13f79535-47bb-0310-9956-ffa450edef68
The actual r->filename format is "[proxy:]unix:path|url" for UDS, no need to
strstr(,"unix:") since it's at the start of the string.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1892814 13f79535-47bb-0310-9956-ffa450edef68
When the generic "proxy:reverse" worker is selected for an uwsgi scheme, the
worker name is irrelevant so uwscgi_handler() should point to the PATH_INFO
directly from the given URL.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1892805 13f79535-47bb-0310-9956-ffa450edef68
* Certificate/keys pairs are verified as matching before a renewal is accepted
as successful or a staged renewal is replacing the existing certificates.
This avoid potential mess ups in the md store file system to render the active
certificates non-working. [@mkauf]
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1892782 13f79535-47bb-0310-9956-ffa450edef68
PRs 65521 and 65519.
* modules/proxy/proxy_util.c(ap_proxy_tunnel_run):
Avoid an infinite loop by shutting down the connection for write when poll()
returns POLLHUP and read is already down. PR 65521.
* modules/proxy/proxy_util.c(ap_proxy_tunnel_run):
When write completion is finished don't check for ap_filter_input_pending()
before proxy_tunnel_forward() to flush input data, this is a nonblocking read
already which will do the same thing implicitely. ap_filter_input_pending()
is broken in 2.4.x without the whole pending data mechanism (not backported
yet), so let's align here. PR 65519.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1892740 13f79535-47bb-0310-9956-ffa450edef68
stopping a child process. The additional `graceful` parameter allows
registered hooks to free resources early during a graceful shutdown.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1891919 13f79535-47bb-0310-9956-ffa450edef68
- Domain names in `<MDomain ...>` can now appear in quoted form.
- Fixed a failure in ACME challenge selection that aborted further searches
when the tls-alpn-01 method did not seem to be suitable.
- Changed the tls-alpn-01 setup to only become unsuitable when none of the
dns names showed support for a configured 'Protocols ... acme-tls/1'. This
allows use of tls-alpn-01 for dns names that are not mapped to a VirtualHost.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1891683 13f79535-47bb-0310-9956-ffa450edef68
- Added a timeout to h2 worker cleanup to exit latest after 5 seconds of
waiting on idle workers to terminate. This happens after all connections
have been processed. a WARNING is logged in case workers lagged behind.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1891566 13f79535-47bb-0310-9956-ffa450edef68
Clear the workers created in ap_proxy_sync_balancer(), notably ->local_status
for below ap_proxy_initialize_worker() to initialize all the child structures
like ->cp and ->cp->reslist, avoiding a possible crash when the workers are
used at runtime.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1891477 13f79535-47bb-0310-9956-ffa450edef68
- Aborting requests via RST_STREAM no longer affect the available
resources of a connection when the first chunk of the response
body has been sent.
- H2Min/MaxWorkers behave as intended again. The module will initially
create H2MinWorkers threads and add up to H2MaxWorkers when needed. These
additional workers time out when idle after H2MaxWorkerIdleSeconds and
disappear again.
- When the shutdown of a child is detected (e.g. graceful shutdown), the
module will terminate all idle workers above H2MinWorkers right away.
This detection currently only happens when a HTTP/2 connection is active.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1891312 13f79535-47bb-0310-9956-ffa450edef68
We can't truncate ProxyMatch's worker name/url to the first '$' substitution
without possibly colliding with other workers. This also makes the matching
done at runtime by ap_proxy_strcmp_ematch() completely pointless.
To fix this and still address r1878467 (i.e. make http://host:port$1 a "valid"
URL), we need to remove '$' substitutions from the :port part of the URL only
since it's allowed anywhere else by apr_uri_parse().
So let's strip them before apr_uri_parse() and prepend them back in the path
before apr_uri_unparse() to restore the original URL. Non-matchable workers are
not concerned so ap_proxy_define_worker() is made a local helper (w/o the ap_
prefix) which takes "matchable" as argument and can then be called by both
ap_proxy_define_[match_]worker() functions.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1891206 13f79535-47bb-0310-9956-ffa450edef68
connections. If ALPN protocols are provided and sent to the
remote server, the received protocol selected is inspected
and checked for a match. Without match, the peer handshake
fails.
An exception is the proposal of "http/1.1" where it is
accepted if the remote server did not answer ALPN with
a selected protocol. This accomodates for hosts that do
not observe/support ALPN and speak http/1.x be default.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1890693 13f79535-47bb-0310-9956-ffa450edef68
Adding `outgoing` flag to conn_rec, indicating a connection is
initiated by the server to somewhere, in contrast to incoming
connections from clients.
Adding 'ap_ssl_bind_outgoing()` function that marks a connection
as outgoing and is used by mod_proxy instead of the previous
optional function `ssl_engine_set`. This enables other SSL
module to secure proxy connections.
The optional functions `ssl_engine_set`, `ssl_engine_disable` and
`ssl_proxy_enable` are now provided by the core to have backward
compatibility with non-httpd modules that might use them. mod_ssl
itself no longer registers these functions, but keeps them in its
header for backward compatibility.
The core provided optional function wrap any registered function
like it was done for `ssl_is_ssl`.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1890605 13f79535-47bb-0310-9956-ffa450edef68
