Checkout Tools
  • last updated 7 hours ago
Constraints: committers
Constraints: files
Constraints: dates
mod_proxy_http: handle async tunneling of Upgrade(d) protocols.

When supported by the MPM (i.e. "event"), provide async callbacks and let

them be scheduled by ap_mpm_register_poll_callback_timeout(), while the

handler returns SUSPENDED.

The new ProxyAsyncDelay directive (if positive) enables async handling,

while ProxyAsyncIdleTimeout determines the timeout applied on both ends

while tunneling.

Github: closes #126

  1. … 2 more files in changeset.
Revert r1879361: 2.4.x material only.
mod_proxy: unfail mixed ProxyPass/<Proxy> and ProxyPassMatch/<ProxyMatch>.

It is not a failure in current 2.4.x, so to ease backport and to avoid compat

breakage simply warn about the second directive being ignored.

This commit can be reverted in trunk if we want next versions to fail in this


[Reverted by r1879363]

  1. … 1 more file in changeset.
Follow up to r1879235: fill APLOGNO().

  1. … 1 more file in changeset.
Follow up to r1879080 and r1879137: servlet-normalize r->uri if matched.

If a ProxyPass mapping=servlet matches (in pre_trans hook), update r->uri with

the servlet normalization so that later <Location> or any dir context match

does not have to handle potential path parameters.

  1. … 1 more file in changeset.
Follow up to r1879080: replace ProxyUseOriginalURI by mapping=encoded.

Instead of having a separate ProxyUseOriginalURI directive to control pre_ vs

normal translate stage, let's handle this at each ProxyPass level, with the

mapping= parameter.

At pre_translate stage mod_proxy will handle the "encoded" mapping only, and

at translate stage only the others (unless a worker was already elected at

the first stage).

Note that since mapping=servlet needs to happen encoded too, it's defined like:



so that proxy_trans does the right thing.

This allows for simpler and consistent mapping configuration, where the

translate stage depends only on the mapping= parameter.

To implement a fast path (do nothing) when no encoded mapping is configured

at pre_trans stage, or all mappings are encoded at translate stage, two bits

are added to proxy_server_conf (map_encoded_one:1, map_encoded_all:1) and

updated at load time. Thus MINOR is bumped too.

  1. … 2 more files in changeset.
Follow up to r1879079, r1879080: change to DONE semantics for pre_trans hooks.

Don't decode r->uri when pre_trans returns DONE instead of OK, which allows to

preserve previous behaviour where decoding was avoided for "ProxyRequests on"

or post_read_request RewriteRule [P] only, but not ProxyPass'ed requests.

This also preserves decoded location walk in most/same cases.

  1. … 2 more files in changeset.
Follow up to r1879111: gcc suggests parentheses around ^ operator, oh well.

Follow up to r1879110: avoid signed comparison for use_original_uri.

And fix comment about default value.

Follow up to r1879080: rename ProxyMappingDecoded to ProxyUseOriginalURI.

Same for proxy_dir_conf field.

  1. … 1 more file in changeset.
Allow for proxy servlet mapping at pre_translate_name stage.

Provide alias_match_servlet(), the servlet counterpart of alias_match(),

which maps the request URI-path to the ProxyPass alias ignoring path

parameters, while still forwarding them (above the alias).

This is needed to proxy servlet URIs for application handled by Tomcat,

which can then make use of the path/segments parameters.

Github: closes #128

  1. … 1 more file in changeset.
core,modules: provide/use ap_parse_strict_length() helper.

It helps simplifying a lot of duplicated code based on apr_strtoff(), while

also rejecting leading plus/minus signs which are dissalowed in Content-Length

and (Content-)Range headers.

  1. … 18 more files in changeset.
mod_proxy: binary search for ProxyErrorOverride status codes.

The list can be rather long, speed up runtime by sorting the status codes in

error_override_codes and using binary search from ap_proxy_should_override().

  1. … 1 more file in changeset.
mod_proxy_http: handle Upgrade requests and upgraded protocol forwarding.

If the request Upgrade header matches the worker upgrade= parameter and

the backend switches the protocol, do the tunneling in mod_proxy_http.

This allows to keep the protocol to HTTP until the backend really

switches the protocol, and apply usual output filters.

When configured to forward Upgrade mechanism, we want the backend to be

able to announce its Upgrade protocol to the client (e.g. with 426

Upgrade Required response) and thus forward back the Upgrade header that

matches the one(s) configured in the worker upgrade= parameter.



ap_proxy_worker_can_upgrade(): added helper to determine whether a

proxy worker is configured to forward an Upgrade protocol.


Bump MMN minor for ap_proxy_worker_can_upgrade().


set_worker_param(): handle worker parameter upgrade=ANY as upgrade=*

(should the "any" protocol scheme be something some day..).


proxy_wstunnel_handler(): use ap_proxy_worker_can_upgrade() to match

the Upgrade header. Axe handling of upgrade=NONE, it makes no sense to

Upgrade a connection if the client did not ask for it, nor to configure

mod_proxy_wstunnel to use a worker with upgrade=NONE by the way.


proxy_http_req_t: add fields force10 (force HTTP/1.0) and upgrade (value

of the Upgrade header sent by the client if it matches the configuration,

NULL otherwise).

proxy_http_handler(): use ap_proxy_worker_can_upgrade() to determine

whether the request is electable for end to end protocol upgrading and set

req->upgrade accordingly.

terminate_headers(): handle Connection and Upgrade headers to send to the

backend, according to req->force10 and req->upgrade set before.

ap_proxy_http_prefetch(): use req->force10 and terminate_headers().

send_continue_body(): added helper to send the body retained for end to

end 100-continue handling.

ap_proxy_http_process_response(): use ap_proxy_worker_can_upgrade() to

match the response Upgrade header and forward it back if it matches the

configured one(s). That is for 101 Switching Protocol obviously but also

any other status code which is not overidden, at the backend wish. If the

protocol is switching, create a proxy tunnel and run it, using the minimal

timeout from the client or backend connection.

Github: closes #125

  1. … 7 more files in changeset.
Add missing pool tags to help debugging.
  1. … 41 more files in changeset.
PR63628: individual status codes for ProxyErrorOverride.

Support specifying the http status codes to be considered by ProxyErrorOverride

Submitted By: Martin Drößler <mail>

Committed By: covener

  1. … 9 more files in changeset.
Fix spelling errors found by codespell. [skip ci]

  1. … 100 more files in changeset.
mod_proxy: Add proxy check_trans hook.

This allows proxy modules to decline request handling at early stage.

Then mod_proxy_wstunnel can implement that hook to verify that an Upgrade

is requested, and otherwise hand over to mod_proxy_http.

  1. … 4 more files in changeset.

  1. … 1 more file in changeset.
remove request details from error documents

  1. … 4 more files in changeset.
Synch trunk and 2.4.x

Remove some useless spaces which have never been backported in 2.4.x.

This was part of r1724879 and was backported in r1744951

* modules/proxy/mod_proxy.c (create_proxy_config): Tag the pool.

* modules/lua/mod_lua.c (lua_post_config, create_vm_spec): Tag pools.

  1. … 1 more file in changeset.
mod_proxy: follow up to r1836588: configurable Proxy100Continue.

Add Proxy100Continue directive to allow for 100-continue forwarding opt-out.

  1. … 4 more files in changeset.
mod_proxy: Improve the balancer member data shown

in mod_status when "ProxyStatus" is "On":

add "busy" count and show byte counts in auto

mode always in units of kilobytes.

  1. … 1 more file in changeset.
PR62199: add worker parameter ResponseFieldSize to mod_proxy

Submitted By: Hank Ibell

Committed By: covener

  1. … 5 more files in changeset.
mod_proxy_balancer: Add hot spare member type and corresponding flag (R). Hot spare members are

used as drop-in replacements for unusable workers in the same load balancer set. This differs

from hot standbys which are only used when all workers in a set are unusable. PR 61140.

  1. … 10 more files in changeset.
mod_proxy: Provide an RFC1035 compliant version of the hostname in the

proxy_worker_shared structure. PR62085

  1. … 8 more files in changeset.
Revert r1813167 (per review).
  1. … 2 more files in changeset.
mod_proxy_balancer: fix runtime lbfactor value changed in 2.4.28.

It is assumed to be between 1 and 100 by lbmethods, so normalize it


[Reverted by r1813255]

  1. … 2 more files in changeset.
Follow up to r1740928: including NOT_IN_PROXY in NOT_IN_DIR_LOC_FILE is both

incomplete and not backportable, fix it by introducing NOT_IN_DIR_CONTEXT and

restoring NOT_IN_DIR_LOC_FILE to its previous value.

Per ap_check_cmd_context(), NOT_IN_DIR_LOC_FILE actually/really means "not in

any directory context", while the definition itself does not include all the

existing directory contexts (e.g. <Limit>, or <Proxy> before r1740928).

This is a bit of a misnomer, at least, so instead of (ab)using it by adding the

missing contexts (in an incompatible way), let's define NOT_IN_DIR_CONTEXT to

really exclude all directory context (i.e. NOT_IN_DIR_LOC_FILE + NOT_IN_LIMIT +

NOT_IN_PROXY) and use it wherever NOT_IN_DIR_LOC_FILE was used.

This is by itself a major MMN bump (modules not compiled with this commit and

having directives checked against NOT_IN_DIR_LOC_FILE won't be caught the same

way by NOT_IN_DIR_CONTEXT in the new ap_check_cmd_context() code), but with the

below change, 2.4.x should work as before:

- if ((forbidden & NOT_IN_DIR_CONTEXT) == NOT_IN_DIR_CONTEXT) {

+ if ((forbidden & NOT_IN_DIR_LOC_FILE) == NOT_IN_DIR_LOC_FILE) {

if (cmd->path != NULL) {

return apr_pstrcat(cmd->pool, cmd->cmd->name, gt,

- " cannot occur within directory context", NULL);

+ " cannot occur within <Directory/Location/Files/Proxy> "

+ "section", NULL);




  1. … 7 more files in changeset.