Checkout Tools
  • last updated 5 hours ago
Constraints
Constraints: committers
 
Constraints: files
Constraints: dates
Merge r1864526 from trunk:

* modules/metadata/mod_remoteip.c (remoteip_process_v2_header,

remoteip_input_filter): Add sanity checks.

Submitted by: jorton, Daniel McCarney <cpu letsencrypt.org>

Submitted by: jorton

Reviewed by: jorton, covener, jim

  1. … 2 more files in changeset.
Merge r1832580, r1832581 from trunk:

mod_remoteip: Fix RemoteIP{Trusted,Internal}ProxyList loading broken by 2.4.30.

Overwriting server config in pre_config hook breaks EXEC_ON_READ directives,

it's automatically created on purpose anyway.

PR 62220.

Follow up to r1832580: correct CHANGES entry.

Submitted by: ylavic

Reviewed by: ylavic, wrowe, jim

  1. … 3 more files in changeset.
Merge r1776458 from trunk:

mod_remoteip: Set useragent port to zero PR59931

When overriding the useragent address from X-Forwarded-For,

zero out what had been initialized as the connection-level port.

Submitted By: Hank Ibell <hwibell gmail.com>

Reviewed by: ylavic, covener, icing

  1. … 2 more files in changeset.
*) mod_remoteip: make proxy-protocol work on HTTP/2 connections.

trunk patch: http://svn.apache.org/r1827196

2.4.x patch: svn merge -c 1827196 ^/httpd/httpd/trunk .

+1: icing, ylavic, jim

  1. … 3 more files in changeset.
Merge r1827654, r1827671 from trunk:

copy apr_sockaddr_is_wildcard to maintain 1.4.x support.

CHANGES for r1827654

Submitted by: covener

Reviewed by: covener, ylavic, rpluem, jim

  1. … 3 more files in changeset.
Merge r1776575, r1776578, r1776624, r1776627, r1776674, r1776734, r1776740, r1778268, r1780725, r1781030, r1781031, r1781701, r1788674, r1789800, r1790169, r1790457, r1790691, r1806985, r1812332, r1818279 from trunk:

Merge new PROXY protocol code into mod_remoteip

Fix typo in mod_remoteip's doc

Shorten RemoteIPProxyProtocolEnable to RemoteIPProxyProtocol and correct references in docs

Move attribution for mod_remoteip RemoteIPProxyProtocol from file to CHANGES

On the trunk:

* mod_remoteip: added cast to fix clang compiler error

Reinsert attribution to mod_remoteip.c for PROXY protocol

* Silence compiler warning

Set all read buckets aside in case we need to restore all during optional header processing

* modules/metadata/mod_remoteip.c: Fix GCC strict-aliasing warning

by moving deference of header array via a different pointer type

("type-punning") out of line.

* modules/metadata/mod_remoteip.c (register_hooks,

remoteip_hook_pre_connection): Reference the filter by handle rather

than name (avoiding tree lookup by name on use).

Change tactic for PROXY processing in Optional case

Finally include feedback from Ruediger Pluem. Add slave "backoff" verified by Sander Hoentjen

Update PROXY handling by removing Optional processing

Rename RemoteIPProxyProtocolDisableHosts to RemoteIPProxyProtocolExceptions

Fix directive name in

(s/RemoteIPProxyProtocolDisableNetworks/RemoteIPProxyProtocolExceptions/)

Use cmd->cmd->name instead to be future proof.

XML update plus typo in mod_remoteip.xml.

PROXY protocol proposal corrections

Fix format pattern (%lu => %APR_SIZE_T_FMT).

Detected by maintainer mode compilation and GCC error:

.../modules/metadata/mod_remoteip.c:

In function 'remoteip_input_filter':

.../include/http_log.h:117:33:

error: format '%lu' expects argument of type

'long unsigned int', but argument 8 has type

'apr_size_t {aka unsigned int}' [-Werror=format=]

APR-ize uint types

Submitted by: druggeri, elukey, druggeri, druggeri, druggeri, icing, druggeri, rpluem, druggeri, jorton, jorton, druggeri, druggeri, druggeri, druggeri, jailletc36, lgentis, mrumph, rjung, jim

Reviewed by: druggeri, jim, minfrin

  1. … 3 more files in changeset.
Revert r1824221: wrong backport.
  1. … 4 more files in changeset.
mod_remoteip: Add PROXY protocol support

trunk patch: http://svn.apache.org/r1776575

http://svn.apache.org/r1776578 (doc fix)

http://svn.apache.org/r1776624

http://svn.apache.org/r1776627 (shortened name + doc fix)

http://svn.apache.org/r1776674 (attribution moved to CHANGES)

http://svn.apache.org/r1776734

http://svn.apache.org/r1776740 (attribution updated in mod_remotip.c)

http://svn.apache.org/r1778268 (fix compiler warning)

http://svn.apache.org/r1780725 (set buckets aside)

http://svn.apache.org/r1781030 (fix strict GCC warning)

http://svn.apache.org/r1781031 (reference the filter by handle)

http://svn.apache.org/r1781701 (rework optional processing case)

http://svn.apache.org/r1788674 (final edge cases/ignore slave conns)

http://svn.apache.org/r1789800 (remove optional processing)

http://svn.apache.org/r1790169 (rename "exception" directive)

http://svn.apache.org/r1790457 (Update directive name in err message)

http://svn.apache.org/r1790691

http://svn.apache.org/r1806985

http://svn.apache.org/r1818279

2.4 convenience patch (includes CHANGES):

http://home.apache.org/~ylavic/patches/RemoteIPProxyProtocol.2.4-v3.patch

+1: druggeri, jim, minfrin

[Reverted by r1824246]

  1. … 4 more files in changeset.
Merge r1688399 from trunk:

mod_remoteip: Use r->useragent_addr as the root trusted address for verifying.

This fixes issue resulting in setting of bad useragent_ip when internal

redirection has been generated as response to the request (typically as

result of "ErrorDocument 40x").

In this case, the original request has been handled by mod_remoteip and its

useragent_ip has been changed properly, but when internal redirection

to ErrorDocument has been generated later, the mod_remoteip's handler has been

executed again with *the same* c->client_addr as in the original request. If

c->client_addr IP is trusted, this results in bad useragent_ip being set.

When using r->useragent_addr as the root trusted address instead of

c->client_addr, the internal redirection uses the first non-trusted

IP in this particular case, so it won't change the r->useragent_ip during

the internal redirection to ErrorDocument.

Submitted by: jkaluza

Reviewed/backported by: jim

  1. … 3 more files in changeset.
Merge r1588330 from trunk:

Prevent an external proxy from presenting an internal proxy

in mod_remoteip.c. PR 55962.

Submitted by: mrumph

Reviewed/backported by: jim

  1. … 3 more files in changeset.
Merge r1564052 from trunk:

Correct the trusted proxy match test in mod_remoteip. PR 54651.\n\nSubmitted By: Yoshinori Ehara <yoshinori ehara gmail com>\nEndorsed By: Eugene L <eugenel amazon com>\nCommited By: mrumph

Submitted by: mrumph

Reviewed/backported by: jim

  1. … 2 more files in changeset.
Merge r1564475 from trunk:

Use the correct IP addresses to populate the proxy_ips field

in mod_remoteip.c. PR 55972.

Submitted by: mrumph

Reviewed/backported by: jim

  1. … 3 more files in changeset.
* easy proposals to synch 2.4.x and trunk

- log.c: avoid needless apr_pstrdup()

- Use apr_pstrmemdup instead of apr_pstrndup when this is safe.

- Use apr_pstrmemdup instead of apr_pstrndup when this is safe.

- Remove redundant check

- 'ap_getword_conf' does not return NULL but an empty string

- Ease logic around 'ap_getword_conf' and drop useless line of code.

- 'ap_getword_conf' can not return NULL

- 'ap_getword_conf' can not return NULL

- Remove redundant check (already performed the line before)

- Use 'apr_pstrmemdup' instead of 'apr_pstrndup' when applicable

trunk patches:

- https://svn.apache.org/viewvc?view=revision&revision=1532122

- https://svn.apache.org/viewvc?view=revision&revision=1549676

- https://svn.apache.org/viewvc?view=revision&revision=1549680

- https://svn.apache.org/viewvc?view=revision&revision=1550651

- https://svn.apache.org/viewvc?view=revision&revision=1551005

- https://svn.apache.org/viewvc?view=revision&revision=1551009

- https://svn.apache.org/viewvc?view=revision&revision=1551010

- https://svn.apache.org/viewvc?view=revision&revision=1551011

- https://svn.apache.org/viewvc?view=revision&revision=1551012

- https://svn.apache.org/viewvc?view=revision&revision=1551013

2.4.x patches: trunk patches work

http://people.apache.org/~jim/patches/ez-2.4-v2.patch

+1: jailletc36, jim, minfrin

  1. … 11 more files in changeset.
s/equivalant/equivalent/ in comments
  1. … 1 more file in changeset.
s/ip/IP/ in comments
mod_remoteip: close file in error path

trunk patch: http://svn.apache.org/r1491234

Submitted by: jailletc36

Reviewed by: covener, minfrin

  1. … 3 more files in changeset.
Merge r1463056 from trunk:

Use %pm available since apr 1.3 instead of an extra call to apr_strerror

Submitted by: sf

Reviewed/backported by: jim

  1. … 7 more files in changeset.
Merge r1407459, r1407460, r1419781, r1418524, r1401448, r1405407, r1405973, r1419726, r1418769, r1417197 from trunk:

remove warning:

mod_remoteip.c:404:38: warning: data argument not used by format string [-Wformat-extra-args]

It's a hack, but maintain the orig hack ;)

Remove warnings

mod_speling.c:400:41: warning: data argument not used by format string [-Wformat-extra-args]

r->uri, nuri, ref);

mod_speling.c:508:53: warning: data argument not used by format string [-Wformat-extra-args]

r->uri, candidates->nelts, ref);

Use 'apr_is_empty_table()' instead of testing against 'apr_table_elts(...)->nelts'

Use ap_rputs instead of ap_rvputs where applicable.

No need to apr_pstrdup things here, 'apr_socket_accept_filter' already makes it own copy.

Not compiled nor tested as on my system APR_HAS_SO_ACCEPTFILTER is set to 0.

revert r1401448 and add a comment on why there's a bewildering copy

of args passed to apr_socket_accept_filter()

cppCheck: kill two warnings about incorrect printf parameters.

'worker_thread_count' is unsigned

cppCheck: same expression on both side of '|'.

Fix it the same way other messages are managed in the function.

Fix a few 'too many arguments for format' warnings

cppCheck: kill a unread variable warning

Submitted by: jim, jailletc36, jailletc36, jailletc36, trawick, jailletc36, jailletc36, sf, jailletc36

Reviewed/backported by: jim

  1. … 13 more files in changeset.
Submitted by: sf

Reviewed by sf, trawick, druggeri

Merge r1304855 from trunk:

Downgrade log message about adjusted IP address to trace1

  1. … 1 more file in changeset.
Backport:

Further clarify the naming of the entity that originates the request by

calling that entity a useragent instead of a client.

Further clarify the naming of the entity that directly connects to us by

calling that entity a client instead of a peer.

  1. … 26 more files in changeset.
Merge r1211663:

Remove usage of APLOG_NOERRNO. It has been a no-op since at least 2.0.x

  1. … 6 more files in changeset.
Backport r1209766, r1210252, r1210284:

Add lots of unique tags to error log messages

ssl_util.c: Downgrade some dynamic locking messages from level DEBUG

to TRACE1-3

  1. … 164 more files in changeset.
Backport:

Introduce a per request version of the remote IP address, which can be

optionally modified by a module when the effective IP of the client

is not the same as the real IP of the client (such as a load balancer).

Introduce a per connection "peer_ip" and a per request "client_ip" to

distinguish between the raw IP address of the connection and the effective

IP address of the request.

  1. … 31 more files in changeset.
Style fixes, no functional change.