Jim Jagielski

Merge r1876540 from trunk:

PR64295 cannot override default Virtualhost's mod_reqtimeout

of course only body=n can work the headers have to parsed to get the virtualhost.

Submitted by: jfclere

Reviewed by: jailletc36, rpluem, jim

Merge r1876484, r1876493 from trunk:

PR64313 htcacheclean: Empty directories in CacheRoot are still present even after using "-t"

* Whitespace style fixes. No functional change.

Submitted by: jfclere, rpluem

Reviewed by: jailletc36, rpluem, jim

Merge r1783041 from trunk:

default_handler: cleanup outputed brigade before leaving.

Submitted by: ylavic

Reviewed by: jailletc36, rpluem, jim

Merge r1534995, r1560482, r1728779, r1805491, r1861528, r1868016, r1874470, r1874602, r1875769, r1875811 from trunk:

don't ignore some apr_procattr failures (clang scan-build)

doxygen improvements

Standardize order of "extern" and XXX_DECLARE_YYY.

Fix some compilation warning when MIME_MAGIC_DEBUG is defined.

warning: format ‘%x’ expects argument of type ‘unsigned int’, but argument <n> has type ‘<something> *’ [-Wformat=]

style: cmd_rec at the bottom

no functional change

Fix a typo in a message.

Reported and fixed by Christian Bartolomäus (bartolin gmx.de)

PR 63806

malloc -> ap_malloc

bz #63967

Slighly simplify code.

No need to set to NULL or 0 fields that are apr_pcalloc'ed.

Axe 'set_cookie_enable' and use 'ap_set_flag_slot' instead.

(based on ideas taken from r1874389)

Parentheses around AP_BUCKET_IS_EOR argument.

Fix a typo

Submitted by: trawick, rjung, jailletc36, covener, jailletc36, gbechis, jailletc36, ylavic, jailletc36

Reviewed by: jailletc36, gbechis, jim

and promote

votes

2.4.42 was DOA

Merge r1874689 from trunk:

*) mod_http2: Fixes issue where mod_unique_id would generate non-unique request

identifier under load, see <https://github.com/icing/mod_h2/issues/195>.

[Michael Kaufmann, Stefan Eissing]

Submitted by: icing

Reviewed by: icing, ylavic, jim

Merge r1874616 from trunk:

PR64140: Allow %{Content-Type} in health check expressions

Submitted By: Renier Velazco <renier.velazco upr.edu>

Commited By: covener

Github: closes #97

Submitted by: covener

Reviewed by: covener, ylavic, jim

Merge r1874424 from trunk:

PR64172: drop severity of AH01666

Submitted by: covener

Reviewed by: covener, ylavic, jim

promote

provide votes

some votes

xforms

  1. … 14 more files in changeset.
Merge r1868645, r1868743, r1868929, r1868934, r1869077 from trunk:

mod_ssl: negotiate the TLS protocol version per name based vhost configuration.

By using the new ClientHello callback provided by OpenSSL 1.1.1, which runs at

the earliest connection stage, we can switch the SSL_CTX of the SSL connection

early enough for OpenSSL to take into account the protocol configuration of the

vhost.

In other words:

SSL_set_SSL_CTX(c->SSL, s->SSL_CTX)

followed by:

SSL_set_{min,max}_proto_version(SSL_CTX_get_{min,max}_proto_version(s->SSL_CTX))

works as expected at this stage (while the same from the SNI callback is

ignored by/due to OpenSSL's state machine).

Extracting the SNI (to select the relevant vhost) in the ClientHello callback

is not as easy as calling SSL_get_servername() though, we have to work with

the raw TLS extensions helpers provided by OpenSSL. I stole this code from a

test in the OpenSSL source code (i.e. client_hello_select_server_ctx() in

test/handshake_helper.c).

We can then call init_vhost() as with the SNI callback (in use only for OpenSSL

versions earlier than 1.1.1 now), and pass it the extracted SNI.

mod_ssl: follow up to r1868645.

Restore ssl_callback_ServerNameIndication() even with OpenSSL 1.1.1+, which

depends on its return value (OK/NOACK), mainly on session resumption, for

SSL_get_servername() to consider or ignore the SNI (returning NULL thus

making SSLStrictSNIVHostCheck fail for possibly legitimate cases).

This means that init_vhost() should accurately return whether the SNI exists

in the configured vhosts, even when it's called multiple times (e.g. first

from ClientHello callback and then from SNI callback), so save that state in

sslconn->vhost_found and reuse it.

mod_ssl: follow up to r1868645.

Keep the base server's SSLProtocol if none is configured on the vhost

selected by Hello/SNI callback.

mod_ssl: follow up to r1868645 and r1868929.

Merge ->protocol_set.

mod_ssl: follow up to r1868645.

CHANGES entry and docs' note.

Submitted by: ylavic

Reviewed by: ylavic, minfrin, jim

Merge r1873748 from trunk:

factor out TE=chunked checking

Submitted by: covener

Reviewed by: covener, minfrin, jorton

Merge r1873747 from trunk:

factor out default regex flags

Submitted by: covener

Reviewed by: covener, minfrin, jorton

Merge r1873745 from trunk:

trap bad FTP responses

Submitted by: covener

Reviewed by: covener, minfrin, jorton

promote

test and vote

Merge r1871810 from trunk:

*) mod_http2: Fixed rare cases where a h2 worker could deadlock the main connection.

Submitted by: icing

Reviewed by: icing, jim, steffenal

Merge r1872455 from trunk:

add r/o iterable tables

The current apr tables exposed support get/set but we cannot get the keys

or iterate. add _table() alternatives

Submitted by: covener

Reviewed by: covener, jim, humbedooh

Merge r1870650 from trunk:

PR63971 expose apr_table_unset for headers/envvars

via nil assignment

Submitted by: covener

Reviewed by: covener, jim, humbedooh

Had some time... votes on backports

Merge r1822531, r1829676, r1847232, r1847234, r1861333, r1852442, r1866145, r1868295, r1868296 from trunk:

mod_proxy: fix proxy connection cleanup from an n+2 pool.

When connection_destructor() is called after pchild is gone, we can't

dereference worker->cp anymore. This happens is debug/one_process mode only,

if we exit by calling apr_terminate() or clearing the process pool directly.

Fix this by NULL-ing worker->cp in conn_pool_cleanup(), and by registering it

as a pre_cleanup.

Delay some memory allocation.

If this handler will not handle the request, no need to waste bytes in the request pool.

Add error messages and return bad request.

fix incorrect rv. Sorry.

Follow up to r1847232.

There is no point to use "old" numbers in recent commit.

Also avoid number duplication. The messages are the same but in different code path, so having different numbers makes sense.

This also avoids a warning when running:

make update-log-msg-tags

Make proxy modules compile if APR_HAS_THREADS is not defined.

restore use of global mutex under !APR_HAS_THREADS

followup to r1852442 which appears to have been too agressive in wrapping

blocks with #if APR_HAS_THREADS. With !APR_HAS_THREADS a global mutex

is a proc mutex.

* Add back logging goodness

Add back logging goodness added by covener in r1865938.

Fix pool concurrency problems

Create a subpool of the connection pool for worker scoped DNS resolutions.

This is needed to avoid race conditions in using the connection pool by multiple

threads during ramp up.

Recheck after obtaining the lock if we still need to do things or if they

were already done by another thread while we were waiting on the lock.

* modules/proxy/proxy_util.c: Create a subpool of the connection pool for worker

scoped DNS resolutions and use it.

* modules/proxy/mod_proxy.h: Define AP_VOLATILIZE_T and add dns_pool to

struct proxy_conn_pool.

* modules/proxy/mod_proxy_ftp.c: Use dns_pool and consider that

worker->cp->addr is volatile in this location of the code.

PR: 63503

Submitted by: ylavic, jailletc36, jfclere, jfclere, jailletc36, stsp, covener, rpluem, rpluem

Reviewed by: rpluem, covener, jim

Merge r1851332, r1861432, r1862202, r1864759, r1867254, r1867255, r1867569, r1869512 from trunk:

fix a misleading comment about s->defn_name

use the provided types via the macro

* modules/metadata/mod_mime_magic.c: Constify some constant

data, remove unused "suf_recursion" field. No functional

change.

Axe some dead code + slighly improve a comment

Fix a typo

Fix a typo

* modules/ssl/ssl_engine_log.c (ssl_log_cert_error): Use string

length returned by apr_vsnprintf. No functional change.

mod_authz_core: follow up to r1864759.

We should at least log the unexpected provider_name == NULL condition.

Submitted by: covener, jorton, jailletc36, jailletc36, jailletc36, jorton, ylavic

Reviewed by: jailletc36, jim, ylavic

promote

Proposal and votes

config: Speed up graceful restarts by using pre-hashed command table. PR 64066.

[Giovanni Bechis <giovanni paclan.it>, Jim Jagielski]

some backport votes