Yann Ylavic

Remove duplicated CHANGES entry.
Comment, vote, promote.
Comment, vote, promote.
mod_authz_core: follow up to r1864759.

We should at least log the unexpected provider_name == NULL condition.

Propose (and remove backported entry).
Merge r1869499, r1869500 from trunk:

Use latest/compatible apr_common.m4.

Never checkin generated files applied to build/apr_common.m4.

Reviewed on dev@ by: ylavic, icing, rpluem

Merge r1868313 from trunk:

Honor "Accept-Encoding: foo;q=0" as per RFC 7231; which means 'foo' is

"not acceptable". PR 58158

Submitted by: jailletc36

Reviewed/backported by: jailletc36, jim, ylavic

Vote, promote.
Never checkin generated files applied to build/apr_common.m4.
Use latest/compatible apr_common.m4.
mod_proxy: Improve tunneling loop.

Support half closed connections and pending data draining (for protocols like

rsync). PR 61616.

When reading on one side goes faster than writing on the other side, the output

filters chain may start buffering data and finally block, which will break

bidirectional tunneling for some protocols.

To avoid this, proxy_tunnel_run() now stops polling/reading until pending data

are drained, and recovers appropriately.

mod_proxy: Add proxy check_trans hook.

This allows proxy modules to decline request handling at early stage.

Then mod_proxy_wstunnel can implement that hook to verify that an Upgrade

is requested, and otherwise hand over to mod_proxy_http.

mod_proxy: factorize mod_proxy_{connect,wstunnel} tunneling code in proxy_util.

This commit adds struct proxy_tunnel_rec that contains the fields needed for a

poll() loop through the filters chains, plus functions ap_proxy_tunnel_create()

and ap_proxy_tunnel_run() to respectively initialize a tunnel and (re)start it.

Proxy connect and wstunnel modules now make use of this new API to avoid

duplicating logic and code.

mod_proxy_http: follow up to r1869216.

Let's call stream_reqbody() for all rb_methods, no RB_SPOOL_CL special case.

This both simplifies code and allows to keep EOS into the input_brigade until

it's sent, and thus detect whether we already fetched the whole body if/when

proxy_http_handler() re-enters for different balancer members.

Revert r1869222, wrong files committed.
mod_proxy_http: follow up to r1869216.

Let's call stream_reqbody() for all rb_methods, no RB_SPOOL_CL special case.

This both simplifies code and allows to keep EOS into the input_brigade until

it's sent, and thus detect whether we already fetched the whole body if/when

proxy_http_handler() re-enters for different balancer members.

[reverted by r1869223]

mod_proxy_http: fix load-balancer fallback for requests with a body.

Since r1656259 (or r1656259 in 2.4.41) and the move of prefetch before connect,

the balancer fallback case where proxy_http_handler() is re-entered with the

next balancer member broke.

We need to save the body (partially) prefetched the first time and reuse it on

successive calls, otherwise we might forward partial or empty body.

mod_ssl: follow up to r1868645.

CHANGES entry and docs' note.

mod_ssl: follow up to r1868645 and r1868929.

Merge ->protocol_set.

mod_ssl: follow up to r1868645.

Keep the base server's SSLProtocol if none is configured on the vhost

selected by Hello/SNI callback.

mod_ssl: follow up to r1868645.

Restore ssl_callback_ServerNameIndication() even with OpenSSL 1.1.1+, which

depends on its return value (OK/NOACK), mainly on session resumption, for

SSL_get_servername() to consider or ignore the SNI (returning NULL thus

making SSLStrictSNIVHostCheck fail for possibly legitimate cases).

This means that init_vhost() should accurately return whether the SNI exists

in the configured vhosts, even when it's called multiple times (e.g. first

from ClientHello callback and then from SNI callback), so save that state in

sslconn->vhost_found and reuse it.

Use native EOL for intended-duplicates.
Put intended duplicates AHs in their own file (outside the script).

AH01241 is intentionally duplicated.

Depending on the configured child error output, messages go to ErrorLog or

stderr, but AH should be the same.

update-log-msg-tags: allow to reference intended duplicate tags.

To avoid noise warnings when running "make update-log-tags".

mod_md: resolve duplicate tag.
mod_proxy_http: follow up to r1868576.

Omit sending 100 continue if the body is (partly) prefetched, per

RFC 7231 (section 5.1.1).

mod_proxy_http: revert r1868625.

The HTTP_IN filter handles "100 Continue" the first time it's called only,

and in spool_reqbody_cl() we have already tried to prefetch the body, so

it's too late.

mod_ssl: negotiate the TLS protocol version per name based vhost configuration.

By using the new ClientHello callback provided by OpenSSL 1.1.1, which runs at

the earliest connection stage, we can switch the SSL_CTX of the SSL connection

early enough for OpenSSL to take into account the protocol configuration of the

vhost.

In other words:

SSL_set_SSL_CTX(c->SSL, s->SSL_CTX)

followed by:

SSL_set_{min,max}_proto_version(SSL_CTX_get_{min,max}_proto_version(s->SSL_CTX))

works as expected at this stage (while the same from the SNI callback is

ignored by/due to OpenSSL's state machine).

Extracting the SNI (to select the relevant vhost) in the ClientHello callback

is not as easy as calling SSL_get_servername() though, we have to work with

the raw TLS extensions helpers provided by OpenSSL. I stole this code from a

test in the OpenSSL source code (i.e. client_hello_select_server_ctx() in

test/handshake_helper.c).

We can then call init_vhost() as with the SNI callback (in use only for OpenSSL

versions earlier than 1.1.1 now), and pass it the extracted SNI.

mod_proxy_http: follow up to r1868576.

As suggested by Ruediger, let the HTTP_IN filter handle the 100 continue from

spool_reqbody_cl().

Also, according to rfc7231#section-5.1.1, we don't need the interim response

if we "already received some or all of the message body", which is now also

taken into account.