Checkout Tools
  • last updated 7 hours ago
Constraints: committers
Constraints: files
Constraints: dates
mod_proxy: Improve tunneling loop.

Support half closed connections and pending data draining (for protocols like

rsync). PR 61616.

When reading on one side goes faster than writing on the other side, the output

filters chain may start buffering data and finally block, which will break

bidirectional tunneling for some protocols.

To avoid this, proxy_tunnel_run() now stops polling/reading until pending data

are drained, and recovers appropriately.

  1. … 5 more files in changeset.
mod_proxy: factorize mod_proxy_{connect,wstunnel} tunneling code in proxy_util.

This commit adds struct proxy_tunnel_rec that contains the fields needed for a

poll() loop through the filters chains, plus functions ap_proxy_tunnel_create()

and ap_proxy_tunnel_run() to respectively initialize a tunnel and (re)start it.

Proxy connect and wstunnel modules now make use of this new API to avoid

duplicating logic and code.

  1. … 6 more files in changeset.
Fix pool concurrency problems

Create a subpool of the connection pool for worker scoped DNS resolutions.

This is needed to avoid race conditions in using the connection pool by multiple

threads during ramp up.

Recheck after obtaining the lock if we still need to do things or if they

were already done by another thread while we were waiting on the lock.

* modules/proxy/proxy_util.c: Create a subpool of the connection pool for worker

scoped DNS resolutions and use it.

* modules/proxy/mod_proxy.h: Define AP_VOLATILIZE_T and add dns_pool to

struct proxy_conn_pool.

* modules/proxy/mod_proxy_ftp.c: Use dns_pool and consider that

worker->cp->addr is volatile in this location of the code.

PR: 63503

  1. … 4 more files in changeset.
* Add back logging goodness

Add back logging goodness added by covener in r1865938.

* Revert r1865944 and r1865938

Revert r1865944 and r1865938 in order to provide a better patch with less

locking and thus contention.


PR63503: fix pool concurrency problems in mod_proxy

reslist and resolver related calls could concurrently access the same pool.

Submitted By: Don Poitras <Don.Poitras>

Committed By: covener

restore use of global mutex under !APR_HAS_THREADS

followup to r1852442 which appears to have been too agressive in wrapping

blocks with #if APR_HAS_THREADS. With !APR_HAS_THREADS a global mutex

is a proc mutex.

  1. … 2 more files in changeset.

PR63503: fix pool concurrency problems in mod_proxy

reslist and resolver related calls could concurrently access the same pool.

Submitted By: Don Poitras <Don.Poitras>

Committed By: covener

remove APR_HAS_THREADS check

no need to wrap these after r1865936

* modules/proxy/proxy_util.c (ap_proxy_share_balancer): Create the

nonce as a pseudo-UUID using the PRNG.

remove request details from error documents

  1. … 4 more files in changeset.
* Fix the logic to follow the comment. So far we only forwarded the header if

we have NOT used it AND the env variable was set. But if we have not

used it we should forward it in any case independent of the env variable


This aligns also with the behaviour in ap_proxy_create_hdrbrgd.

Follow up to r1859371: extend to other ap_proxy_connection_create[_ex]() users.

This function now now handles SSL reuse as well as the "proxy-request-hostname"

note (SNI), so let's also call it unconditionnaly in all proxy modules.

On the mod_ssl side, since this note has the lifetime of the connection, don't

reset/unset it during handshake (ssl_io_filter_handshake).

  1. … 6 more files in changeset.
Fix for: [Bug 62372] Load balancer byrequests required when bytraffic chosen

mod_proxy/ssl: cleanup per-request SSL configuration for recycled proxy conns.

The SSL dir config of proxy/backend connections is stored in r->per_dir_config

but those connections have a lifetime independent of the requests they handle.

So we need to allow the external ssl_engine_set() function to reset mod_ssl's

dir config in between proxy requests, or the first sslconn->dc could be used

after free for the next requests.

mod_proxy can then reset/reinit the request config when recycling its backend


PR 63256.

  1. … 2 more files in changeset.
Make proxy modules compile if APR_HAS_THREADS is not defined.

  1. … 3 more files in changeset.
If ProxyPassReverse is used for reverse mapping of relative redirects, subsequent ProxyPassReverse statements, whether they are relative or absolute, may fail.

PR 60408 [Peter Haworth <pmh1wheel>]

  1. … 1 more file in changeset.
mod_proxy_http: follow up to r1836588: avoid 100-continue responses from core.

When mod_proxy_http handles end-to-end "100 continue", it can't let

ap_http_filter() send its own interim response whenever the body is read.

So save/restore r->expecting_100 before/after handling the request, and use

req->expecting_100 internally (including to restore r->expecting appropriately).

While at it, add comments and debug logs about 100 continue handling, and

fill in missing APLOGNO()s from r1836588.

  1. … 2 more files in changeset.
* ap_proxy_balancer_get_best_worker cannot be exported and used as an optional

function at the same time. So rename ap_proxy_balancer_get_best_worker to

proxy_balancer_get_best_worker and make it static which is then used as an

optional function and recreate ap_proxy_balancer_get_best_worker as an

exported thin wrapper of proxy_balancer_get_best_worker.

  1. … 4 more files in changeset.
* mod_proxy: Remove load order and link dependency between mod_lbmethod_*

modules and mod_proxy by providing mod_proxy's ap_proxy_balancer_get_best_worker

as an optional function.

PR: 62557

  1. … 6 more files in changeset.
Add default schema ports for websockets


Lubos Uhliarik <>

* modules/proxy/proxy_util.c (ap_proxy_share_worker): Skip creating subpool

for debugging unless debug-level logging is enabled. No functional change.

In 'ap_proxy_cookie_reverse_map', iterate over each token of the 'Set-Cookie' header field in order to avoid updating the wrong one.

This could happen if the header field has something like 'fakepath=foo;path=bar". In this case fakepath would be updated instead of path.

We don't need regex anymore in order to parse the field values and 'ap_proxy_strmatch_domain' and 'ap_proxy_strmatch_path' are now useless. (and should be axed IMHO)

PR 61560

  1. … 1 more file in changeset.
mod_proxy_balancer: Add hot spare member type and corresponding flag (R). Hot spare members are

used as drop-in replacements for unusable workers in the same load balancer set. This differs

from hot standbys which are only used when all workers in a set are unusable. PR 61140.

  1. … 10 more files in changeset.
Follow up to r1609680: further simplify/optimize ap_proxy_strcmp_ematch().

While at it, same treatment for its mother ap_strcmp_match().

  1. … 1 more file in changeset.
Follow up to r1609680: simpler/faster ap_proxy_strcmp_ematch().

No functional change.

Set the notice when hostname is too long for legacy proxy modules to info level.

Tone down the message that worker hostname is too long noting it only

affects legacy modules not yet using hostname_ex.

mod_proxy: Provide an RFC1035 compliant version of the hostname in the

proxy_worker_shared structure. PR62085

  1. … 8 more files in changeset.
too-long worker schemes and/or hostnames are no longer fatal errors
  1. … 2 more files in changeset.