Dirk-Willem van Gulik

Fix minor typo; credits to mvdb@apache.org.
make_sni.sh test -- Accomodate for platforms which do not have RANDOM in their sh(1) implementation - rely on the pid and a not so random prefix
Add Joe Orton his SNI test case for client authentication
Centralize the error-header collapsing done when sending out cached replies. Mark the change in CHANGES as it may have unforseen fall out and/or may need to be reverted or done more subtle.
Centralize hop-by-hop header handling in the main mod_cache code. This change is a no-op -- i.e. we call the same code path as prior to the API renaming. However this is propably wrong; and we should have been cleansing the content-types all along
Centralize hop-by-hop header handling in the memory caching code.
Centralize hop-by-hop header handling in the disk caching code. Note that 'out' now has actual out semantics; hence the change in headers_in.
Currently each of the caching module includes logic to implement

the hop-by-hop rules of rfc 2616 along with the entity response

rules. To make sure that they stay in sync; and to make it easier

to add (http) caching modules - this change moves them all into

one place (cache_util) and exposes a in-bound and out-bound

version to operate on the headers.

In short: we retire ap_cache_cacheable_hdrs_out() which was used

for both in- and out-put headers; and replace it by a single

ap_cache_cacheable_headers() which understands the hop-by-hop

rules. And then wrap this into an in- and out-put specific

ap_cache_cacheable_headers_in()/out() which we can teach things

about entity responses and so on.. The latter which will also

merge error and ensure content-type.

This API change bumps up the minor MM by one.

Incorperate feedback/requests for a bit more flexibility: 1)allow any domain and IP address for the SNI demonstration and 2) make the index.html sample files a bit easier to recognize.
Kasper Brand came across a flaw in the current implementation when CRL

information - i.e. SSLCARevocationFile/SSLCARevocationPath - is set

on a per-vhost basis (don't know how much sense it makes to have

non-global CRLs, but anyway...).

The attached patch (47B2B1A7.1060009@velox.ch on httpd-dev) addresses

this issue, and it also improves the logging behavior for an SNI

enabled configuration (previously some of the messages would

always go to the first vhost, or wouldn't appear at

all, depending on the LogLevel of the first vhost).

reviewed: dirkx

More spelling/clarifications/depluralizing (and we know the name of the error log)
Clarify the text a little and use the vhost terminology.

Addition of a test script which creates a Sample/test configuration for installations

that wants to support SNI. Primarily done as a lot of web developers find the creation

of certificates hard - and do not want to go to the expense of sourcing a handful

from a well-known CA just for testing and experimenting.

Also update the CHANGES log with the word 'SNI' as to make googling it easier.

Incorperate feedback of Rudiger.
Turn the cache module into first class citizens (well the disk_cache

and file cache that is).

This makes the delta between 'all' and 'most'








And keeps disabled in all and most the modules for:















As well as mod_ssl which is intentionally not part of MOST and All.

Reduce the WARNING to a DEBUG when SNI support is enabled.

This is because a) during SNI such is normal and b) regardless

when overlap is detected there will always be a warning:

[warn] Init: Name-based SSL virtual hosts only work for clients

with TLS server name indication support (RFC 4366)

at the end of the cycle.

Return a little bit more error information when, say a disk is full or something gets write protected. Note that in some cases mod_cache.c will_also_ log a 'cache: store_headers failed' subsequently.
Add PR for header install
Also install the so, rewrite and cache header files.
Sub-requests are created and used with two purposes; sometimes

simply to 'see' what a request would do; as to fill out an SSI,

validate access or similar - and is then discarded. And sometimes

as the precursor to becoming the actual request; e.g. when mod_dir

checks if an /index.html can be served for a '/'.

In the latter case it is important to preserve the output filters

'for real'; whereas in the first case they have to be reset to

purely the minimal proto filters (if at all). This patch instates

the output filters in 3 cases where sub-requests are/may in fact

be used as the real request later on.

This is a relatively risky change (which should not be back-ported

without further discussion) and may break caches in combination

with internal redirects/vary/negotiation in subtle ways.

See the thread starting at [1] and in particular the general

concerns of rpluem at [2] with respect to sub requests

and (fast_)internal redirects possibly needing a more

thorough overhaul.

1: http://mail-archives.apache.org/mod_mbox/httpd-dev/200802.mbox/ajax/%3c335D1A4B-25E2-4FF1-8CDF-5010A7FBD293@webweaving.org%3e

2: http://mail-archives.apache.org/mod_mbox/httpd-dev/200802.mbox/%3c47ACE1D4.4060702@apache.org%3e

Making the live of the Style Police a bit easier.

Scratch another its - this patchs allows me to hugely simply auth modules

which use non 4xx methods for auth (such as cookies, referers ,etc).

Submitted by Sander van Zoest (for a slightly different reason) - see

explanation below.

From: Sander van Zoest

To: dev@httpd.apache.org

It is common practice to set Cookie's to pass along on HTTP

redirects for "login" authentication.

When implementing P3P <http://www.w3.org/P3P/> using

mod_headers.c the Header directive only sets r->headers_out

and does not pass the headers along for non-2XX responses

such as error pages and redirects.

To provide this functionality we added the ErrorHeader

directive which populates r->err_headers_out instead.

Below follows a patch for 1.3.X by Michael Radwin <radwin_at_yahoo-inc.com>.

I have some code that attempts to add Directive to 2.0.X, but

it seems that output_filters are shortcuted on 3XX responses.

While now by setting the Header directive it also passes the headers

along at for all non-2XX responses except 3XX responses.



Sander van Zoest

PR: 9181

Obtained from: Michael Radwin

Submitted by: Sander van Zoest

Reviewed by: Dirk-Willem van Gulik

Scratched a major itch - got bitten by config directory globbing sucking

in an editor backup file once too many. Applied the patch as submitted

by Sander van Zoest (Bug id 12712) whichs makes it possible to limit

the scope with simple but effective wild cards.

PR: 12712

Obtained from: Sander van Zoest

Submitted by: Sander van Zoest

Reviewed by: Dirk-Willem van Gulik

Scratched a major itch - got bitten by config directory globbing sucking

in an editor backup file once too many. Applied the patch as submitted

by Sander van Zoest (Bug id 12712) whichs makes it possible to limit

the scope with simple but effective wild cards.

Corrected RFC reference and updated spec.

Thanks Roy for catching this one.

Make apache work with the iCal webdav client when using

DigestAuth. We propably should revisit mod_digest its parsing

at some point.

NOTE: - not yet done for EBCDIC !

Hall of blame update.

Changes as submitted by

Hiroaki KAWAI <hawk@bcl.t.u-tokyo.ac.jp>


Peter Van Biesen <peter.vanbiesen@vlafo.be>

to get a dutch version in.

  1. … 4 more files in changeset.
Placeholder while we figure out what the next

playground is going to be.

As an aside - perhaps we should split this page up

in companies with products and companies who do support

and companies who do consulting.

Documented the printing of HARD_SERVER_LIMIT when using httpd -V.