Checkout Tools
  • last updated 4 hours ago
Constraints: committers
Constraints: files
Constraints: dates

Changeset 1877708 is being indexed.

mention relative path behavior, offline question

mod_proxy_http: follow up to r1877696: reindent.

No functional changes.

mod_proxy_http: axe ap_proxy_should_override() duplicate checks.

mod_proxy_http: follow up to r1877646: send Upgrade header with 101 response.

Also, add a comment about why we forward the Upgrade header in non-101

responses provided the protocol matches the upgrade= configuration.

Windows : do not include ap_config_auto.h

Windows bits for mod_log_json.dsp

mod_proxy_http: handle Upgrade requests and upgraded protocol forwarding.

If the request Upgrade header matches the worker upgrade= parameter and

the backend switches the protocol, do the tunneling in mod_proxy_http.

This allows to keep the protocol to HTTP until the backend really

switches the protocol, and apply usual output filters.

When configured to forward Upgrade mechanism, we want the backend to be

able to announce its Upgrade protocol to the client (e.g. with 426

Upgrade Required response) and thus forward back the Upgrade header that

matches the one(s) configured in the worker upgrade= parameter.



ap_proxy_worker_can_upgrade(): added helper to determine whether a

proxy worker is configured to forward an Upgrade protocol.


Bump MMN minor for ap_proxy_worker_can_upgrade().


set_worker_param(): handle worker parameter upgrade=ANY as upgrade=*

(should the "any" protocol scheme be something some day..).


proxy_wstunnel_handler(): use ap_proxy_worker_can_upgrade() to match

the Upgrade header. Axe handling of upgrade=NONE, it makes no sense to

Upgrade a connection if the client did not ask for it, nor to configure

mod_proxy_wstunnel to use a worker with upgrade=NONE by the way.


proxy_http_req_t: add fields force10 (force HTTP/1.0) and upgrade (value

of the Upgrade header sent by the client if it matches the configuration,

NULL otherwise).

proxy_http_handler(): use ap_proxy_worker_can_upgrade() to determine

whether the request is electable for end to end protocol upgrading and set

req->upgrade accordingly.

terminate_headers(): handle Connection and Upgrade headers to send to the

backend, according to req->force10 and req->upgrade set before.

ap_proxy_http_prefetch(): use req->force10 and terminate_headers().

send_continue_body(): added helper to send the body retained for end to

end 100-continue handling.

ap_proxy_http_process_response(): use ap_proxy_worker_can_upgrade() to

match the response Upgrade header and forward it back if it matches the

configured one(s). That is for 101 Switching Protocol obviously but also

any other status code which is not overidden, at the backend wish. If the

protocol is switching, create a proxy tunnel and run it, using the minimal

timeout from the client or backend connection.

Github: closes #125

ap_log_pid(): Windown does not implement apr_file_perms_set(), not a failure.
mod_md: update duplicated APLOGNOs.
listen.c: follow up to r1876865: update APLOGNO.
Add Win build mod_log_json.dsp

    • ?
add include to test_char.h now required

mod_proxy_http: follow up to r1877557.

Yet better, call proxy_run_detach_backend() at the caller.

mod_proxy_http: single point of failure in ap_proxy_http_process_response().

No functional change (intended).

mpm_event: reset listener_is_wakeable on reload.
util_md5: avoid temporary stack result in ap_md5_binary().
util_expr: allow to specify only one of ap_expr_eval_ctx_t's r/c/s.

Depending on where the expression is evaluated, a request_rec might not be

available, so allow to specify only a conn_rec or a server_rec (at least) in

the passed in ap_expr_eval_ctx_t.

mod_ssl: destroy temporary pool on stapling_renew_response() failure.
util_filter: export ap_filter_adopt_brigade() since mod_ssl uses it.
fr doc rebuild.

fr doc XML file update.

fr doc rebuild.

fr doc XML files updates.

mod_ssl: Update the ssl_var_lookup() API:

a) constify return value and variable name passed-in

b) require that pool argument is non-NULL

c) add gcc warning attributes for NULL arguments or ignored result.

This allows removal of inefficient internal duplication of constant

strings which was necessary only to allow non-const char *, and

removal of unsafe casts to/from const in various places.

* modules/ssl/ssl_engine_vars.c (ssl_var_lookup): Assume pool is

non-NULL; return constant and remove apr_pstrdup of constant

result string. Also constify variable name.

(ssl_var_lookup_*): Update to return const char * and avoid

duplication where now possible.

* modules/ssl/mod_ssl.h: Update ssl_var_lookup() optional function

API description and add GCC warning attributes as per private API.

* modules/ssl/ssl_engine_init.c (ssl_add_version_components): Adjust

for const return value.

* modules/ssl/ssl_engine_io.c (ssl_io_filter_handshake): Pass c->pool

to ssl_var_lookup.

* modules/ssl/ssl_engine_kernel.c (ssl_hook_Access): Pass r->pool to

ssl_var_lookup, expect const return and dup the string since r->user

is char *.

(log_tracing_state): Pass c->pool to ssl_var_lookup.

* modules/http2/h2_h2.c (h2_is_acceptable_connection): Assume

return value of ssl_var_lookup is const.

Github: closes #120

* os/win32/win32_config_layout: Define DEFAULT_REL_STATEDIR for Win32.

mod_ssl: Drop SSLRandomSeed implementation with OpenSSL 1.1.1.

Require that OpenSSL is configured with a suitable entropy source,

or fail startup otherwise.

* modules/ssl/ssl_private.h:

Define MODSSL_USE_SSLRAND for OpenSSL < 1.1.1.

(SSLModConfigRec): Only define pid, aRandSeed for <1.1.1.

(ssl_rand_seed): Define as noop if !MODSSL_USE_SSLRAND.

* modules/ssl/ssl_engine_init.c (ssl_init_Module):

Only initialize mc->pid for MODSSL_USE_SSLRAND.

Fail if RAND_status() returns zero.

(ssl_init_Child): Drop getpid and srand for !MODSSL_USE_SSLRAND.

* modules/ssl/ssl_engine_rand.c: ifdef-out for !MODSSL_USE_SSLRAND.

(ssl_rand_seed): Drop warning if PRNG not seeded (now a startup

error as above).

* modules/ssl/ssl_engine_config.c (ssl_config_global_create): Drop

aRandSeed initialization. (ssl_cmd_SSLRandomSeed): Log a warning if


Github: closes #123

ap_core_input_filter(): axe unnecessary AP_MODE_SPECULATIVE test.

mod_ssl: Minor cleanup to avoid defining init handling functions for

pre-1.1 builds where they are noops or unused. No functional change


* modules/ssl/mod_ssl.c: Define NEED_MANUAL_OPENSSL_INIT for builds

where pre-1.1 OpenSSL needs "manual" initialization/cleanup. Only

define modssl_running_statically for this case (otherwise it is set

and never read).

(modssl_is_prelinked): Only define for NEED_MANUAL_OPENSSL_INIT.

(ssl_cleanup_pre_config): Only define for NEED_MANUAL_OPENSSL_INIT;

otherwise it is a noop returning APR_SUCCESS;

(ssl_hook_pre_config): Only install the cleanup and initialize

modssl_is_prelinked for NEED_MANUAL_OPENSSL_INIT build.

mod_ssl: Switch to using SSL_OP_NO_RENEGOTATION (where available) to

block client-initiated renegotiation with TLSv1.2 and earlier.

* modules/ssl/ssl_private.h: Define modssl_reneg_state enum,

modssl_set_reneg_state function.

* modules/ssl/ssl_engine_io.c (bio_filter_out_write,

bio_filter_in_read): #ifdef-out reneg protection if


* modules/ssl/ssl_engine_init.c (ssl_init_ctx_protocol):


(ssl_init_ctx_callbacks): Only enable the "info" callback if

debug-level logging *or* OpenSSL doesn't support SSL_OP_NO_RENEGOTATION.

* modules/ssl/ssl_engine_kernel.c (ssl_hook_Access_classic): Use

modssl_set_reneg_state to set the reneg protection mode.

(ssl_hook_Access_modern): Drop manipulation of the reneg mode which

does nothing for TLSv1.3 already.

(ssl_callback_Info): Only enable reneg protection if

SSL_OP_NO_RENEGOTATION is *not* defined.

* modules/ssl/ssl_util_ssl.c (modssl_set_reneg_state): New function.