Parent Directory
|
Revision Log
| Links to HEAD: | (view) (download) (annotate) |
| Sticky Revision: |
mod_proxy: Handle backend address renewal with address_ttl= parameter.
Define a new proxy_address struct holding the current/latest sockaddr in use
by each proxy worker and conn. Since backend addresses can be updated when
their TTL expires and while connections are being processed, each address is
refcounted and freed only when the last worker (or conn) using it grabs the
new one.
The lifetime of the addresses is handled at a single place by the new
ap_proxy_determine_address() function. It guarantees to bind the current/latest
backend address to the passed in conn (or do nothing if it's up to date already).
The function is called indirectly by ap_proxy_determine_connection() for the
proxy modules that use it, or directly by mod_proxy_ftp and mod_proxy_hcheck.
It also is called eventually by ap_proxy_connect_backend() when connect()ing all
the current addresses fails, to check (PROXY_DETERMINE_ADDRESS_CHECK) if some
new addrs are available.
This commit is also a rework of the lifetime of conn->addr, conn->hostname
and conn->forward, using the conn->uds_pool and conn->fwd_pool for the cases
where the backend is connected through a UDS socket and a remote CONNECT proxy
respectively.
* include/ap_mmn.h:
Minor bump for new function/fields.
* modules/proxy/mod_proxy.h (struct proxy_address,
ap_proxy_determine_addresss()):
Declare ap_proxy_determine_addresss() and opaque struct proxy_address,
new fields to structs proxy_conn_rec/proxy_worker_shared/proxy_worker.
* modules/proxy/mod_proxy.c (set_worker_param):
Parse/set the new worker->address_ttl parameter.
* modules/proxy/proxy_util.c (proxy_util_register_hooks(),
ap_proxy_initialize_worker(),
ap_proxy_connection_reusable(),
ap_proxyerror(), proxyerror_core(),
init_conn_pool(), make_conn_subpool(),
connection_make(), connection_cleanup(),
connection_constructor()):
Initialize *proxy_start_time in proxy_util_register_hooks() as the epoch
from which expiration times are relative (i.e. seconds stored in an uint32_t
for atomic changes).
Make sure worker->s->is_address_reusable and worker->s->disablereuse are
consistant in ap_proxy_initialize_worker(), thus no need to check for both
in ap_proxy_connection_reusable().
New proxyerror_core() helper taking an apr_status_t to log, wrap in
ap_proxyerror().
New make_conn_subpool() to create worker->cp->{pool,dns} with their own
allocator.
New connection_make() helper to factorize code in connection_cleanup() and
connection_constructor().
* modules/proxy/proxy_util.c (proxy_address_inc(), proxy_address_dec(),
proxy_address_cleanup(), proxy_address_set_expired(),
worker_address_get(), worker_address_set(),
worker_address_resolve(), proxy_addrs_equal(),
ap_proxy_determine_address(),
ap_proxy_determine_connection(),
ap_proxy_connect_backend()):
Implement ap_proxy_determine_address() using the above helpers for atomic changes,
and call it from ap_proxy_determine_connection() and ap_proxy_connect_backend().
* modules/proxy/mod_proxy_ftp.c (proxy_ftp_handler):
Use ap_proxy_determine_address() and use the returned backend->addr.
* modules/proxy/mod_proxy_hcheck.c (hc_determine_connection, hc_get_backend,
hc_init_worker, hc_watchdog_callback):
Use ap_proxy_determine_address() in hc_determine_connection() and call the
latter from hc_get_backend(), replace hc_init_worker() by hc_init_baton()
which now calls hc_get_hcworker() and hc_get_backend() to resolve the first
address at init time.
* modules/proxy/mod_proxy_http.c (proxy_http_handler):
Use backend->addr and ->hostname instead of worker->cp->addr and
worker->s->hostname_ex respectively.
* modules/proxy/mod_proxy_ajp.c (ap_proxy_ajp_request):
Use backend->addr and ->hostname instead of worker->cp->addr and
worker->s->hostname_ex respectively.
Closes #367
mod_proxy: Check for space/ctrls in nocanon path/urls before forwarding.
* Whitespace fixes. No functional change.
Do not double encode encoded slashes
In case that AllowEncodedSlashes is set to NoDecode do not double encode
encoded slashes in the URL sent by the reverse proxy to the backend.
* include/ap_mmn.h: Document the addition of ap_proxy_canonenc_ex to the API.
* modules/proxy/mod_proxy.h: Declare ap_proxy_canonenc_ex and define flag
values.
* modules/proxy/proxy_util.c: Implement ap_proxy_canonenc_ex by modifying
ap_proxy_canonenc accordingly and reimplement ap_proxy_canonenc to
use ap_proxy_canonenc_ex with the appropriate flag.
* modules/http2/mod_proxy_http2.c, modules/proxy/mod_proxy_*.c: Set the
correct flag based on the AllowEncodedSlashes configuration and use
ap_proxy_canonenc_ex instead of ap_proxy_canonenc.
mod_proxy: Check the query-string for proxy-noencode too. Follow up to r1907972 and r1908095.
don't forward invalid query strings Submitted by: rpluem
mod_proxy: Don't decode r->uri and reencode in r->filename for mapping=encoded. Decoding was not done for mapping=servlet only (a subset), but overlooked for mapping=encoded. To avoid double-encoding in the canon_handler hook, use a new "proxy-noencode" (similarly to "proxy-nocanon") entry in r->notes. * proxy/mod_proxy.c(ap_proxy_trans_match): Set "proxy-noencode" in r->notes for PROXYPASS_MAP_ENCODED, and return DONE to avoid decoding in ap_process_request_internal(). * proxy/mod_proxy_http.c, proxy/mod_proxy_ajp.c, proxy/mod_proxy_wstunnel.c, proxy/mod_proxy_fcgi.c, proxy/mod_proxy_ajp.c, http2/mod_proxy_http2.c: Don't process the url through ap_proxy_canonenc() in canon_handler if "proxy-noencode" is set.
SECURITY: CVE-2022-37436 (cve.mitre.org) Prior to Apache HTTP Server 2.4.55, a malicious backend can cause the response headers to be truncated early, resulting in some headers being incorporated into the response body. If the later headers have any security purpose, they will not be interpreted by the client. fail on bad header
mod_proxy_http: Follow up to r1901420: consistent 100-continue checks. Let proxy_http_handler() tell ap_proxy_create_hdrbrgd() whether to add or preserve Expect header or not, through the "proxy-100-continue" note.
mod_proxy_http: Avoid 417 responses for non forwardable 100-continue. PR 65666. Stop returning 417 when mod_proxy has to forward an HTTP/1.1 request with both "Expect: 100-continue" and "force-proxy-request-1.0" set, mod_proxy can instead handle the 100-continue by itself before forwarding the request, like in the "Proxy100Continue Off" case. Note that this does not change the behaviour of httpd receiving an HTTP/1.0 request with an Expect header, ap_check_request_header() will still correctly return 417 in this case.
*) mod_proxy: Add backend port to log messages to
ease identification of involved service.
* Report a broken backend in case reading the response line failed on the first request on this connection otherwise we assume we have just run into a keepalive race and the backend is still healthy.
* Keep track of the number of keepalives we processed on this connection.
*) mod_http: genereate HEADERS buckets for trailers
mod_proxy: forward trailers on chunked request encoding
test: add http/1.x test cases in pytest
*) core: add ap_h1_append_header() for single header values.
*) mod_proxy: use of new ap_h1_header(s) functions for
formatting HTTP/1.1 requests.
* Do not change the status code after we already sent it to the client. Changing the status code after we sent it to the client causes a status code being logged that is different from the one sent to the client which can be confusing.
mod_proxy: Handle ap_proxy_buckets_lifetime_transform() errors.
* modules/proxy/mod_proxy.h,modules/proxy/proxy_util.c:
Add ap_proxy_fill_error_brigade() to factorize proxy error handling
on the client connection side.
* modules/proxy/mod_proxy_{http,ajp,uwsgi}.c:
Use ap_proxy_fill_error_brigade() where needed, including when an
empty brigade is returned on the backend side or when calling
ap_proxy_buckets_lifetime_transform fails.
mod_proxy: Restore ap_proxy_transfer_between_connections().
* modules/proxy/mod_proxy.h:
Restore the interface of ap_proxy_transfer_between_connections() back to
before MMN 20210506.0.
Add ap_proxy_tunnel_conn_bytes_in() and ap_proxy_tunnel_conn_bytes_out().
New proxy_tunnel_conn_t typedef'ed from opaque struct proxy_tunnel_conn.
* modules/proxy/mod_proxy.h(ap_proxy_tunnel_conn_get_read,
ap_proxy_tunnel_conn_get_transferred):
Axed/replaced by ap_proxy_tunnel_conn_bytes_in() and
ap_proxy_tunnel_conn_bytes_out().
* modules/proxy/proxy_util.c(struct proxy_tunnel_conn):
Replace "exchanged" by "bytes_in" and "bytes_out".
* modules/proxy/proxy_util.c(proxy_transfer):
New helper implementing ap_proxy_transfer_between_connections() and
returning both &bytes_in and &bytes_out.
* modules/proxy/proxy_util.c(ap_proxy_transfer_between_connections):
Now calls proxy_transfer().
* modules/proxy/proxy_util.c(ap_proxy_tunnel_conn_bytes_in,
ap_proxy_tunnel_conn_bytes_out):
Return tc->bytes_in and tc->bytes_out respectively.
* modules/proxy/proxy_util.c(proxy_tunnel_forward):
Use proxy_transfer() which updates in->bytes_in, &out->bytes_out.
tunnel->replied will be updated in proxy_tunnel_run().
* modules/proxy/proxy_util.c(proxy_tunnel_forward):
Fall through the "done" label in any case to set tunnel->replied based
on tunnel->client->bytes_out > 0.
* modules/proxy/mod_proxy_http.c(ap_proxy_http_process_response):
Use ap_proxy_tunnel_conn_bytes_{in,out}() for worker->s->{read,transferred}
accounting.
* modules/proxy/mod_proxy_http.c(proxy_http_async_finish):
Update worker->s->{read,transferred} when async too.
mod_proxy_http: Avoid a double call to apr_table_get(). * modules/proxy/mod_proxy_http.c (ap_proxy_http_process_response): Save a call to apr_table_get(r->headers_out, "Transfer-Encoding"). No functional change.
*) core/mod_proxy/mod_ssl:
Adding `outgoing` flag to conn_rec, indicating a connection is
initiated by the server to somewhere, in contrast to incoming
connections from clients.
Adding 'ap_ssl_bind_outgoing()` function that marks a connection
as outgoing and is used by mod_proxy instead of the previous
optional function `ssl_engine_set`. This enables other SSL
module to secure proxy connections.
The optional functions `ssl_engine_set`, `ssl_engine_disable` and
`ssl_proxy_enable` are now provided by the core to have backward
compatibility with non-httpd modules that might use them. mod_ssl
itself no longer registers these functions, but keeps them in its
header for backward compatibility.
The core provided optional function wrap any registered function
like it was done for `ssl_is_ssl`.
Allow the tunnelled connections to report the read and trasnfered to the back-end worker.
mod_proxy_http: follow up to r1886141, axe overlong scheme check. Since mod_proxy can see CONNECT URIs, "hostname:port" versus "scheme:" is hardly distinguishable (we don't want to limit the length of hostnames), and we don't allocate the scheme anymore while parsing, let's simply decline unrecognized schemes (overlong or not) and be caught by the no-handler case if there really is no proxy handler interested.
* We need to check for (!scheme && (u = strchr(url, ':')) && (u - url) > 14) later as (!scheme || u[0] != '/' || u[1] != '/' || u[2] == '\0') is true for requests with the CONNECT method which we need to decline. But in many cases requests with the CONNECT method have (u - url) > 14 as in this case (u - url) is the length of the FQDN the forward proxy should connect to.
mod_proxy_http: follow up to r1885239: fix *is_ssl for wss scheme.
mod_proxy_wstunnel: leave Upgrade requests handling to mod_proxy_http.
Let mod_proxy_http's canon and scheme handlers accept "ws[s]:" schemes so that
mod_proxy_wstunnel can decline requests when mod_proxy_http is loaded.
* modules/proxy/{mod_proxy.h,proxy_util.c} (ap_proxy_worker_can_upgrade):
Add a "dflt" argument to ap_proxy_worker_can_upgrade() which, if not NULL,
is matched when no worker upgrade= parameter is configured. This allows to
handle the default "Upgrade: websocket" case for "ws[s]:" schemes.
* modules/proxy/mod_proxy_http.c (proxy_http_canon, proxy_http_handler):
Add and use the new get_url_scheme() helper to parse URL schemes handled by
mod_proxy_http and use it in canon and scheme handlers. This helper now
accepts ws[s] schemes.
* modules/proxy/mod_proxy_wstunnel.c (proxy_wstunnel_post_config):
New post_config hook to detect whether mod_proxy_http is loaded and set
global fallback_to_mod_proxy_http flag in this case.
* modules/proxy/mod_proxy_wstunnel.c (proxy_wstunnel_check_trans,
proxy_wstunnel_canon,
proxy_wstunnel_handler):
These hooks now early return DECLINED if fallback_to_mod_proxy_http is set.
Revert r1480058, -1'ed on dev@ and STATUS. Never backported (and never will supposedly), while often creating merge conflicts. See https://lists.apache.org/thread.html/be0e7bdc3510fddd2dd80accece44917eba361ef4fcc713dd0f7f7fa%401367999236%40%3Cdev.httpd.apache.org%3E and https://lists.apache.org/thread.html/6e63271b308a2723285d288857318e7bb51b6756690514d9bc75a71b%401371148914%40%3Ccvs.httpd.apache.org%3E
mod_proxy: provide prefetching and spooling mechanisms to all proxy modules. Export ap_proxy_prefetch_input(), ap_proxy_spool_input() and ap_proxy_read_input() from mod_proxy_http to mod_proxy.h/proxy_util.c so that they are usable by all proxy modules. mod_proxy_fcgi will use them in a following commit.
Make HTTP_IN filter send 100 continue in blocking mode only. When mod_proxy_http prefetches input data it calls the HTTP_IN filter in nonblocking mode, but since it does not want 100 continue to be sent for every case (e.g. 100-continue forwarding), it hacks r->expecting_100 (save in req->expecting_100, reset, eventually restore..) all over the place. Let's avoid this by making the HTTP_IN filter send 100 continue only when called in blocking mode (once still), instead of the first time it's called. * modules/http/http_filters.c (struct http_filter_ctx): Add the seen_data bit and rename eos_sent to at_eos (HTTP_IN does not send any EOS). * modules/http/http_filters.c (ap_http_filter): Move 100 continue handling outside the initialization/once block, and do it in blocking mode only. Track in ctx->seen_data whether some data were already received, and if so don't send 100 continue per RFC 7231 5.1.1. * modules/proxy/mod_proxy_http.c: Remove req->expecting_100 (and its danse with r->expecting_100) now that reading from the input filters does the right thing.
mod_proxy_http: follow up to r1879419. Better ap_proxy_tunnel_run() error handling.
Follow up to r1879449: yet better MPM poll callback API. Let pass a const pfds to the MPM, for it to make a copy on the given pool as needed.
mpm_common: add pool argument to mpm_register_poll_callback[_timeout] hooks. This is cleaner API than using pfds->pool implicitely. MAJOR bump but reusing the existing hooks (with an API/ABI breakage) because it's trunk material only.
mod_proxy_http: follow up to r1879419: clarify poll callback pds/subpool. Comments about why we need a dedicated pfds and its subpool for ap_mpm_register_poll_callback_timeout().
mod_proxy_http: handle async tunneling of Upgrade(d) protocols. When supported by the MPM (i.e. "event"), provide async callbacks and let them be scheduled by ap_mpm_register_poll_callback_timeout(), while the handler returns SUSPENDED. The new ProxyAsyncDelay directive (if positive) enables async handling, while ProxyAsyncIdleTimeout determines the timeout applied on both ends while tunneling. Github: closes #126
mod_proxy: improved and reentrant tunneling loop.
modules/proxy/mod_proxy.h:
Rename AP_PROXY_TRANSFER_SHOULD_YIELD to AP_PROXY_TRANSFER_YIELD_PENDING
and add AP_PROXY_TRANSFER_YIELD_MAX_READS.
modules/proxy/mod_proxy_http.c:
modules/proxy/mod_proxy_wstunnel.c:
Removing of reqtimeout filter is now handled by ap_proxy_tunnel_create().
modules/proxy/proxy_util.c:
ap_proxy_transfer_between_connections():
Reorganize loop to break out early.
When AP_PROXY_TRANSFER_YIELD_PENDING, if !ap_filter_should_yield() we
still need to run and check ap_filter_output_pending() since it may
release pending data.
When AP_PROXY_TRANSFER_YIELD_MAX_READS, stop the loop after too much
reads (PROXY_TRANSFER_MAX_READS = 10000) to release the thread and
give the caller a chance to schedule the other direction.
Don't return APR_INCOMPLETE when it comes from an incomplete body
detected by ap_http_filter().
ap_proxy_tunnel_create():
Start with POLLOUT on both directions so that any pending output data
is flushed first.
ap_proxy_tunnel_run():
Remove re-init/clear of the pollset for each call so that the function
is reentrant.
Handle POLLOUT before POLLIN so that we can read in the same pass once
all buffered output data are flushed, using ap_filter_input_pending()
to drain buffered input data.
This is preparatory patch for async websocket tunneling is mod_proxy_http.
mod_proxy_http: always stream the request body by default. Simplify streaming by using Content-Length if the length is available, or chunked Transfer-Encoding otherwise. Spooling to memory/file will only be used if force-proxy-request-1.0 or proxy-sendcl are set. This removes the handling of proxy-sendchunked and proxy-sendchunks.
mod_proxy_http: put request/response splitting checks under the same comment. If stream_reqbody() detects a Content-Length vs bytes streamed mismatch it means that a module's filter played bad games, such inconsistency on the client connection would have been caught by ap_http_filter(). So move AH01087 logic to AH01086, under the same comment and log message, and always return HTTP_INTERNAL_SERVER because the client is not the culprit here.
mod_proxy_http: don't strip EOS when spooling request body to file. To prevent stream_reqbody() from sending the FILE and FLUSH bucket in separate brigades, and thus apr_file_setaside() to trigger if network congestion occurs with the backend, restore the EOS in spool_reqbody_cl() which was stripped when spooling the request body to a file. Until APR r1878279 is released (and installed by users), apr_file_setaside() on a temporary file (mktemp) will simply drop the file cleanup, leaking the fd and inode.. This fixes BZ 64452.
core,modules: provide/use ap_parse_strict_length() helper. It helps simplifying a lot of duplicated code based on apr_strtoff(), while also rejecting leading plus/minus signs which are dissalowed in Content-Length and (Content-)Range headers.
mod_proxy_http: follow up to r1877696: reindent. No functional changes.
mod_proxy_http: axe ap_proxy_should_override() duplicate checks.
mod_proxy_http: follow up to r1877646: send Upgrade header with 101 response. Also, add a comment about why we forward the Upgrade header in non-101 responses provided the protocol matches the upgrade= configuration.
mod_proxy_http: handle Upgrade requests and upgraded protocol forwarding.
If the request Upgrade header matches the worker upgrade= parameter and
the backend switches the protocol, do the tunneling in mod_proxy_http.
This allows to keep the protocol to HTTP until the backend really
switches the protocol, and apply usual output filters.
When configured to forward Upgrade mechanism, we want the backend to be
able to announce its Upgrade protocol to the client (e.g. with 426
Upgrade Required response) and thus forward back the Upgrade header that
matches the one(s) configured in the worker upgrade= parameter.
modules/proxy/mod_proxy.h:
modules/proxy/proxy_util.c:
ap_proxy_worker_can_upgrade(): added helper to determine whether a
proxy worker is configured to forward an Upgrade protocol.
include/ap_mmn.h:
Bump MMN minor for ap_proxy_worker_can_upgrade().
modules/proxy/mod_proxy.c:
set_worker_param(): handle worker parameter upgrade=ANY as upgrade=*
(should the "any" protocol scheme be something some day..).
modules/proxy/mod_proxy_wstunnel.c:
proxy_wstunnel_handler(): use ap_proxy_worker_can_upgrade() to match
the Upgrade header. Axe handling of upgrade=NONE, it makes no sense to
Upgrade a connection if the client did not ask for it, nor to configure
mod_proxy_wstunnel to use a worker with upgrade=NONE by the way.
modules/proxy/mod_proxy_http.c:
proxy_http_req_t: add fields force10 (force HTTP/1.0) and upgrade (value
of the Upgrade header sent by the client if it matches the configuration,
NULL otherwise).
proxy_http_handler(): use ap_proxy_worker_can_upgrade() to determine
whether the request is electable for end to end protocol upgrading and set
req->upgrade accordingly.
terminate_headers(): handle Connection and Upgrade headers to send to the
backend, according to req->force10 and req->upgrade set before.
ap_proxy_http_prefetch(): use req->force10 and terminate_headers().
send_continue_body(): added helper to send the body retained for end to
end 100-continue handling.
ap_proxy_http_process_response(): use ap_proxy_worker_can_upgrade() to
match the response Upgrade header and forward it back if it matches the
configured one(s). That is for 101 Switching Protocol obviously but also
any other status code which is not overidden, at the backend wish. If the
protocol is switching, create a proxy tunnel and run it, using the minimal
timeout from the client or backend connection.
Github: closes #125
mod_proxy_http: follow up to r1877557. Yet better, call proxy_run_detach_backend() at the caller.
mod_proxy_http: single point of failure in ap_proxy_http_process_response(). No functional change (intended).
Add missing pool tags to help debugging.
PR63628: individual status codes for ProxyErrorOverride. Support specifying the http status codes to be considered by ProxyErrorOverride Submitted By: Martin Drößler <mail martindroessler.de> Committed By: covener
* modules/proxy/mod_proxy_http.c (ap_proxy_http_process_response): Clear any possible returned buckets in the brigade in the error case. As we want to close the connection anyway there is no sensible content we could still sent and hence doing the needed life time transformation of the buckets would be a waste. PR: 64234
Fix spelling errors found by codespell. [skip ci]
proxy: add local address to body-forwarding errors Adds the local/ephemeral port for the backend connection
mod_proxy_http: follow up to r1869216. Let's call stream_reqbody() for all rb_methods, no RB_SPOOL_CL special case. This both simplifies code and allows to keep EOS into the input_brigade until it's sent, and thus detect whether we already fetched the whole body if/when proxy_http_handler() re-enters for different balancer members.
Revert r1869222, wrong files committed.
mod_proxy_http: follow up to r1869216. Let's call stream_reqbody() for all rb_methods, no RB_SPOOL_CL special case. This both simplifies code and allows to keep EOS into the input_brigade until it's sent, and thus detect whether we already fetched the whole body if/when proxy_http_handler() re-enters for different balancer members. [reverted by r1869223]
mod_proxy_http: fix load-balancer fallback for requests with a body. Since r1656259 (or r1656259 in 2.4.41) and the move of prefetch before connect, the balancer fallback case where proxy_http_handler() is re-entered with the next balancer member broke. We need to save the body (partially) prefetched the first time and reuse it on successive calls, otherwise we might forward partial or empty body.
mod_proxy_http: follow up to r1868576. Omit sending 100 continue if the body is (partly) prefetched, per RFC 7231 (section 5.1.1).
mod_proxy_http: revert r1868625. The HTTP_IN filter handles "100 Continue" the first time it's called only, and in spool_reqbody_cl() we have already tried to prefetch the body, so it's too late.
mod_proxy_http: follow up to r1868576. As suggested by Ruediger, let the HTTP_IN filter handle the 100 continue from spool_reqbody_cl(). Also, according to rfc7231#section-5.1.1, we don't need the interim response if we "already received some or all of the message body", which is now also taken into account. [Reverted by r1868652]
mod_proxy_http: Fix 100-continue deadlock for spooled request bodies. PR 63855. Send "100 Continue", if needed, before fetching/blocking on the request body in spool_reqbody_cl(), otherwise mod_proxy and the client can wait for each other, leading to a request timeout (408). While at it, make so that ap_send_interim_response() uses the default status line if none is set in r->status_line.
mod_proxy/ssl: Proxy SSL client certificate configuration and other proxy SSL configurations broken inside <Proxy> context. PR 63430 Triggered by r1855646+r1855748. Patch from rpluem (proxy) and ylavic (ssl).
mod_proxy: follow up to r1836588: configurable Proxy100Continue. Add Proxy100Continue directive to allow for 100-continue forwarding opt-out.
mod_proxy_http: revert spurious comment from r1853953. No, if we read more bytes than the C-L there is really something wrong in our (or some) HTTP input filter.
mod_proxy_http: common function for stream_reqbody_{cl,chunked}()
Since stream_reqbody_cl() and stream_reqbody_chunked}() now have the same
structure, join them into a single stream_reqbody() function which is passed
the rb_method to handle only CL vs chunked cases differently.
mod_proxy_http: follow up to r1853561. Handle "proxy-sendextracrlf" within the loop too. Btw, this extra CRLF heresy should go (at least in trunk)
Revert r1853564.
mod_proxy_http: follow up to r1853409: no need to double flush on EOS. [Reverted by r1853565]
mod_proxy_http: follow up to r1853409: don't play with meta-buckets. It's better/simpler to handle the final 0-size chunk within the loop (on EOS).
mod_proxy_http: follow up to r1853409. Don't send two final 0-size chunks when the last read brigade is a single EOS.
mod_proxy_http: rework the flushing strategy when forwarding the request body. Since the forwarding of 100-continue (end to end) in r1836588, we depended on reading all of the requested HUGE_STRING_LEN bytes to avoid the flushes, but this is a bit fragile. This commit introduces the new stream_reqbody_read() function which will try a nonblocking read first and, if it fails with EAGAIN, will flush on the backend side before blocking for the next client side read. We can then use it in stream_reqbody_{chunked,cl}() to flush client forwarded data only when necessary. This both allows "optimal" flushing and simplifies code (note that spool_reqbody_cl() also makes use of the new function but not its nonblocking/flush functionality, thus only for consistency with the two others, simplification and common error handling). Also, since proxy_http_req_t::flushall/subprocess_env::proxy-flushall are now meaningless (and unused) on the backend side, they are renamed respectively to prefetch_nonblocking/proxy-prefetch-nonblocking, and solely determine whether to prefetch in nonblocking mode or not. These flags were trunk only and may not be really useful if we decided to prefetch in nonblocking mode in any case, but for 2.4.x the opt-in looks wise.
http: Enforce consistently no response body with both 204 and 304 statuses. Provide AP_STATUS_IS_HEADER_ONLY() helper/macro to check for 204 or 304 and use it where some special treatment is needed when no body is expected. Some of those places handled 204 only.
mod_proxy_http: follow up to r1836588: nonblocking read for 100-continue body. Set nonblocking read (req->flushall) when handling 100-continue since no body is expected to be there already.
mod_proxy_http: follow up to r1836588: fix drop of spurious 100 responses. r1836588 broke t/security/CVE-2008-2364.t by forwarding more than one "100 continue" response, fix it.
mod_proxy_http: follow up to r1836588/r1836648: handle unread 100-continue. When the backend responds with a non-interim response to a 100-continue, mod_proxy_http won't read the client's body, so make sure "Connection: close" ends up being added to the response if nobody reads that body later. The right thing to do at mod_proxy level, rather then forcing AP_CONN_CLOSE, is to restore r->expecting_100 so that further processing (like error_override or trying on the next balancer member) can still work.
mod_proxy_http: follow up to r1836588: avoid 100-continue responses from core. When mod_proxy_http handles end-to-end "100 continue", it can't let ap_http_filter() send its own interim response whenever the body is read. So save/restore r->expecting_100 before/after handling the request, and use req->expecting_100 internally (including to restore r->expecting appropriately). While at it, add comments and debug logs about 100 continue handling, and fill in missing APLOGNO()s from r1836588.
mod_proxy_http: forward 100-continue. Handle end-to-end 100-continue, according to RFC 7231, such that the client request body is not read/forwarded (according to its "Expect:" header) until the backend wants to receive it (with interim 100 continue response), or never forwarded if the backend provides a (non-interim) response and doesn't need the client body at all. This is achieved by filling the header_brigade in ap_proxy_http_prefetch() and letting ap_proxy_http_request() determine whether it should forward that brigade only (with the "Expect: 100-continue" specified by the client or added according to "ping=" configuration), or forward the whole body for the usual case (as before). When 100-continue expectation is in place, the body is actually forwarded by ap_proxy_http_process_response() when/if a "100 continue" response is sent by the backend, otherwise the body is discarded; a future enhancement could make so that in a balancer configuration, the body could be forwarded to another balancer member depending on the status/error from the backend. So stream_reqbody_cl() and stream_reqbody_chunked() functions are adapted to be called by either ap_proxy_http_request() or ap_proxy_http_process_response(), while spool_reqbody_cl() still spools the body in ap_proxy_http_prefetch() thus before the backend is connected/reused to avoid inactivity on the connection for the prefetch time (the prefetched body is also forwarded according to the 100-continue expectation, though). Also, since the brigades and other runtime objects now need to be shared by the ap_proxy_http_*() functions chain, a proxy_http_req_t struct/context is created from the start and passed to them as (the single) argument. This is also a good candidate for a future async baton, if we wanted to let the MPM event wait for connection data for us at any stage and be called back ;) Finally, ap_send_interim_response() is modified to correcly handle 100 continue responses once, and take care of clearing r->expecting_100 only for them. PR 60330.
* Always retrieve conditional function. static variable might contain garbage if module was reloaded in a static build.
Axe ap_rgetline_core(), not used anymore.
mod_proxy_http: follow up to r1829573: remain EBCDIC friendly. Keep using ap_rgetline() as before r1829573, since ap_rgetline_core() is EBCDIC agnostic.
mod_proxy_http: make use of AP_GETLINE_NOSPC_EOL in ap_proxygetline(). Fixes response header thrown away after the previous one was considered too large and truncated. PR 62196.
add log id for r1828926
PR62199: add worker parameter ResponseFieldSize to mod_proxy Submitted By: Hank Ibell Committed By: covener
mod_proxy: Provide an RFC1035 compliant version of the hostname in the proxy_worker_shared structure. PR62085
mod_proxy: allow SSLProxyCheckPeer* usage for all proxy modules. PR 61857. Proposed by: Markus Gausling <markusgausling googlemail.com> Reviewed by: ylavic
Fix for JBCS-390. Note it is related to PR 59007
Move definition of ASCII_ZERO to httpd.h and rename it ZERO_ASCII for consistancy reason. Remove definition of ASCII_CRLF which is the same as CRLF_ASCII. Use ZERO_ASCII and CRLF_ASCII in mod_proxy_http
[mod_proxy_]http: follow up to r1750392. Export [ap_]check_pipeline() and use it also for ap_proxy_check_connection(), so that all the necessary checks on the connection are done before reusing it.
Revert r1756064 and r1756060 until fixed (tests framework passes).
[mod_proxy_]http: follow up to r1750392. Export [ap_]check_pipeline() and use it also for ap_proxy_check_connection(). [Reverted by r1756065]
mod_proxy_http: 204 or 304 cannot happen here since ap_is_HTTP_ERROR() above is true.
mod_proxy_http: handle 401 error override in the same block as other errors to simplify logic, no functional change.
mod_proxy_http: don't pretend we are sending a body before ProxyErrorOverride takes place, the response it to be handled by ErrorDocument is this case. Also it useless to take care of pre-read data since the body is discarded in this case.
mod_proxy_http: ping retry only if full 100-continue conditions are met.
mod_proxy: follow up to r1750392. Avoid double checking the connection in ap_proxy_connect_backend() when ap_proxy_check_backend() says it is up and good to go. This can be done by moving the PROXY_WORKER_IS_USABLE() check in ap_proxy_check_backend(), since it is called by ap_proxy_connect_backend(), and not calling the latter if the former succeeded (for the modules using it).
mod_proxy: we don't need ap_proxy_ssl_connection_cleanup() anymore with ap_proxy_check_backend() used at connection reuse time, so remove its last call and deprecate it.
mod_proxy: use proxy_conn_rec->tmp_bb where appopriate to avoid temporary brigade create/destroy.
mod_proxy_{http,ajp,fcgi}}: don't reuse backend connections with data available
before the request is sent. PR 57832.
ap_proxy_check_backend() can be used before ap_proxy_connect_backend() to try
to read available data (including from the filters), and is called by
ap_proxy_connect_backend() to check the socket state only (as before, still
relevant after ap_proxy_check_backend() due to filter data which may not have
triggered a real socket operation).
Rename ap_casecmpstr[n]() to ap_cstr_casecmp[n](), update with APR doxygen
Avoid memory allocation before making sure that this handler can handle the URL
mod_proxy, mod_ssl: Handle SSLProxy* directives in <Proxy> sections, allowing per backend TLS configuration.
Add missing proxy_run_detach_backend() on error path
mod_proxy: axe negative "ping" parameter setting and handling. This used to check for the backend connection readability only (instead of the full ping/100-continue round-trip), but the case is already handled by ap_proxy_connect_backend() which is always called.
* Use new ap_proxy_buckets_lifetime_transform
* For creating new buckets always use the bucket allocator of the brigade in which we want to put the bucket. Currently this does not change behaviour as r->connection->bucket_alloc and to->bucket_alloc are the same. It is a cleanup and preparation for abstracting this in a proxy API.
Abstract out as macro
Follow up to r1715880: revert abusive ap_casecmpstr[n]() usages.
More ap_casecmpstr[n]() usages (follow up to r1715876).
Use new ap_casecmpstr[n]() functions where appropriate (not exhaustive).
Revert r1715789: will re-commit without spurious functional changes.
Use new ap_casecmpstr[n]() functions where appropriate (not exhaustive). [Reverted by r1715869]
Remove some useless 'return' statements. Fix style and alignment.
s/\<\(\w\+\)\>\s\+\<\1\>/\1/g
mod_proxy: follow up to r1681694. Handle the proxy-error-override note also in mod_proxy_ajp. The note is not needed in mod_proxy_fcgi (which also handles ProxyErrorOverride) since it calls ap_die() by itself, and always returns OK to proxy_handler(). Add a comment about the note where used.
mod_proxy: Don't put the worker in error state for 500 or 503 errors returned by the backend unless failonstatus is configured to. PR 56925.
mod_proxy_http: follow up to r1656259. The proxy connection may be NULL during prefetch, don't try to dereference it! Still origin->keepalive will be set according to p_conn->close by the caller (proxy_http_handler).
Remove some spaces between some return statements and ';' + fix a strange formating in a 'for' loop
mod_proxy_http: Use the "Connection: close" header for requests to backends not recycling connections (disablereuse), including the default reverse and forward proxies.
mod_proxy_http: Don't expect the backend to ack the "Connection: close" to finally close those not meant to be kept alive by SetEnv proxy-nokeepalive or force-proxy-request-1.0, and respond with 502 instead of 400 if its Connection header is invalid.
mod_proxy(es): Avoid error response/document handling by the core if some input filter already did it while reading client's payload. When an input filter returns AP_FILTER_ERROR, it has already called ap_die() or at least already responded to the client. Here we don't want to lose AP_FILTER_ERROR when returning from proxy handlers, so we use ap_map_http_request_error() to forward any AP_FILTER_ERROR to ap_die() which knows whether a response needs to be completed or not. Before this commit, returning an HTTP error code in this case caused a double response to be generated. Depends on r1657881 to preserve r->status (for logging) when nothing is to be done by ap_die() when handling AP_FILTER_ERROR.
mod_proxy_http: don't connect or reuse backend before prefetching request body. The goal is to minimize the delay between this connection is considered alive and the first bytes sent (should the client's link be slow or some input filter retain the data). This is a best effort to prevent the backend from closing (from under us) what it thinks is an idle connection, hence to reduce to the minimum the unavoidable local ap_proxy_is_socket_connected() vs remote keepalive race condition. PR 56541. Also, allow the new subprocess_env variable "proxy-flushall" to prevent any buffering of the request body before it is forwarded to the backend. When set, the prefetch is still done (although non-blocking), so we can still determine Content-Length vs chunked vs spooled (depending on data available with the header or while reading it), and then all brigades are flushed when passed to the backend. PR 37920.
Switch preference for headers, Transfer-Encoding first, Content-Length second. Addition to r1615289.
PR53420: Proxy responses with error status and "ProxyErrorOverride On" hang until proxy timeout. Regression from 2.2. It was introduced by r912063 in order to fix PR41646.
*) SECURITY: CVE-2013-5704 (cve.mitre.org)
core: HTTP trailers could be used to replace HTTP headers
late during request processing, potentially undoing or
otherwise confusing modules that examined or modified
request headers earlier. Adds "MergeTrailers" directive to restore
legacy behavior.
Submitted By: Edward Lu, Yann Ylavic, Joe Orton, Eric Covener
Committed By: covener
SECURITY (CVE-2014-0117): Fix a crash in mod_proxy. In a reverse proxy configuration, a remote attacker could send a carefully crafted request which could crash a server process, resulting in denial of service. Thanks to Marek Kroemeke working with HP's Zero Day Initiative for reporting this issue. * server/util.c (ap_parse_token_list_strict): New function. * modules/proxy/proxy_util.c (find_conn_headers): Use it here. * modules/proxy/mod_proxy_http.c (ap_proxy_http_process_response): Send a 400 for a malformed Connection header. Submitted by: Edward Lu, breser, covener
mod_proxy_http: avoid (unlikely) access to freed memory.
mod_proxy: Preserve original request headers even if they differ
from the ones to be forwarded to the backend. PR 45387.
mod_proxy_http: Add detach_backend hook. The immediate use is for a SSL-related module which works on the backend proxy connection to be able to "leak" information into the client r for logging. This could be useful with other proxy scheme handlers.
Use 'apr_table_setn' instead of 'apr_table_set' when possible in order to save memory.
fix spelling
Redo what was reverted in r1572627. Don't reuse a SSL backend connection whose SNI differs. PR 55782. This may happen when ProxyPreserveHost is on and the proxy-worker handles connections to different Hosts.
Revert r1572606 for the time being since backport would conflict with 2.4.x's proxy_conn_rec. The uds_path field is at the end of the struct in 2.4.x but not in trunk. Fix that first, then recommit.
Don't reuse a SSL backend connection whose SNI differs. PR 55782. This may happen when ProxyPreserveHost is on and the proxy-worker handles connections to different Hosts.
Avoid useless functions calls.
Log an error in mod_proxy_http when reading the request body fails. Follow-up to r1538776 where incomplete bodies are detected and an error returned through the input filters.
mod_proxy_http: don't recycle backend connections known to be closed (eg. EOS by close). This saves a useless ap_is_socket_connected() call when reused.
Cleanup the bb brigade, because buckets inserted to it can be created from scpool and this pool can be freed before this brigade. POSSIBLE (but as yet unconfirmed) fix for crashes seen with threaded servers, e.g. PR 50335.
We were not being consistent between http and others if we added the default port or not during the canonizing phase... Baseline the http method (don't add unless the port provided isn't the default).
* modules/proxy/mod_proxy_http.c (ap_proxy_http_request): Use the same brigade lifetime for the header brigade as the other brigades. POSSIBLE (but as yet unconfirmed) fix for crashes seen with threaded servers, e.g. PR 50335; appears correct or at least not harmful. PR: 50335
ping tuning via Yann Ylavic <ylavic.dev@gmail.com>
fill in missing message numbers in APLOGNO() invocations
Save a few cycles
Allow for a simple socket check in addition to the higher level protocol-level checks for backends... Not sure if it makes sense to do both or not... Comments?
mod_proxy_http: Make the proxy-interim-response environment variable effective by formally overriding origin server behaviour.
core: Stop the HTTP_IN filter from attempting to write error buckets to the output filters, which is bogus in the proxy case. Create a clean mapping from APR codes to HTTP status codes, and use it where needed.
mod_proxy, mod_proxy_http: Connection headers must be stripped on the way in and out, support an optional function to handle this.
mod_proxy: Ensure network errors detected by the proxy are returned as 504 Gateway Timout as opposed to 502 Bad Gateway, in order to be compliant with RFC2616 14.9.4 Cache Revalidation and Reload Controls. [Reverted by r1884280]
Add failontimeout to allow server admin to mark balancer member in err if IO timeout occurs.
axe unused variable dconf (since r1453875)
Pull out duplicated code to proxy_util...
* A limit of zero means unlimited for LimitRequestBody. PR: 54435 Submitted by: Pavel Mateja <pavel netsafe.cz> Reviewed by: rpluem
Fix closing the back end connection in case of error. The field "closed" was changed from an int to a bit field of size one in 2.4.x. For historical reasons a close instruction was coded as an increment on the field, which in 2.4.x flips the field each time. There were mutliple code paths that would flip it several times for a single error, so effectively the connection was no longer closed in these cases. Especially in the case of an aborted client connection this lead to a non consumed back end buffer and thus to response mixup between users. PR 53727 CVE-2012-3052
* Use the the same hostname for SNI as for the HTTP request when forwarding to SSL backends. PR: 53134 Based on a patch from: Michael Weiser <michael weiser.dinsnail.net> Reviewed by: rpluem
* modules/proxy/mod_proxy_http.c (ap_proxy_http_process_response): Treat EAGAIN as an error for a blocking read from the input filter stack.
Further clarify the naming of the entity that directly connects to us by calling that entity a client instead of a peer.
Further clarify the naming of the entity that originates the request by calling that entity a useragent instead of a client.
mod_proxy: Remove ap_proxy_make_fake_req() from the public API.
mod_proxy: Remove ap_proxy_date_canon() from the public API.
mod_proxy: Remove ap_proxy_buckets_lifetime_transform() from the public API.
mod_proxy: Remove ap_proxy_liststr(), it duplicates ap_find_token().
Add lots of unique tags to error log messages
Introduce a per connection "peer_ip" and a per request "client_ip" to distinguish between the raw IP address of the connection and the effective IP address of the request.
Introduce a per request version of the remote IP address, which can be optionally modified by a module when the effective IP of the client is not the same as the real IP of the client (such as a load balancer).
great proxy logging cleanup:
* remove "proxy:", "FCGI", etc. prefixes and pid which are now
included in the error log format
* propagate frontend request's logconfig to backend request
* use ap_log_rerror where possible
* remove obsolete APLOG_NOERRNO
Cleanup effort in prep for GA push: Trim trailing whitespace... no func change
mod_proxy_http, mod_proxy_connect: Add 'proxy-status' and 'proxy-source-port' request notes for logging PR: 30195
Use APR_STATUS_IS_... in some more cases. While this is not strictly necessary everywhere, it makes it much easier to find the problematic cases.
* Play safe if the notes table does not contain an SSL_connect_rv key.
Add a patch from Vincent Deffontaines to make the adding of X-forwarded-* headers configurable: ProxyAddHeaders, defaulting to 'On'. http://www.mail-archive.com/dev@httpd.apache.org/msg49971.html
More movement to shared stuff...
fix comment
update comment
Make sure we clone the table rather than copy it, to ensure that no keys or values allocated from r->pool end up referenced in the backend request.
mod_proxy_http: Allocate the fake backend request from a child pool of the backend connection, instead of misusing the pool of the frontend request. Fixes a thread safety issue where buckets set aside in the backend connection leak into other threads, and then disappear when the frontend request is cleaned up, in turn causing corrupted buckets to make other threads spin.
mod_proxy_http: Ensure that when the backend is closed, the final call to ap_proxy_http_cleanup() is suppressed, so that the backend is not cleaned twice. Fixes a further thread safety issue.
Change another variable that could be confused for conn_rec.
* Fix r1039304 and make the patch similar to the one proposed for 2.2.x: If the SSL handshake to the backend fails we cannot even sent an HTTP request. So the check needs to happen already when we sent data not when we receive data.
* The concept of the cleaned flag is flawed: Once we returned the connection to the pool we cannot longer rely on it as another thread could have leased the connection in the meantime and might have modified it. BUT: We only use this flag once we returned the connection to the pool. So signal that we returned the connection to the pool by something that is local to the thread, in this case set backend to NULL if we already have returende the connection.
* Do not fiddle around with the close field if we might have returned the connection to the pool already. It might be already in use again by another thread.
* Put a note in the connection notes that the SSL handshake to the backend failed such that mod_proxy can put the worker in error state. PR: 50332 Submitted by: Daniel Ruggeri <DRuggeri primary.net> Reviewed by: rpluem
When the proxy closes the backend connection early, force a setaside on any buckets still outstanding to ensure they've been copied out of the backend connection's pool and it is safe to release the backend connection.
Revert r1035504, this was the wrong way to do it.
Fix pool lifetime issues when the proxy backend connection is terminated early by forcing a setaside on transient buckets placed in the brigade by mod_ssl. This has the effect of extending the lifetime of buckets until the end of the request. This is a variation on the original fix for this problem, which added transient buckets to be setaside later in the process.
Fix a pool lifetime issue: Make sure we clean up our brigade before we hand the backend connection back to the connection pool.
mod_proxy: Release the backend connection as soon as EOS is detected, so the backend isn't forced to wait for the client to eventually acknowledge the data.
Remove needless pool cleanup. ap_pregcomp already registers a cleanup for the regex.
Fix an inline variable declaration.
mod_proxy: Move the ProxyErrorOverride directive to have per directory scope.
axe an unnecessary call to sscanf() when parsing the response line from the origin server apr_date_checkmask() already verified the expected text and digit positions; all that is needed is to cheaply find which digits
* LimitRequestBody does not affect Proxy requests (Should it?). Let it take effect if we decide to store the body in a temporary file on disk.
Pull out "does request have a body" logic to a central canon function and use that for the 100-Continue OK check. Should likely also start using this in the various other places we do this "have body" check thruout the codebase...
Fix comment and code to be what it should have been/ thx to r and r for spotting this foobar.
Further checks for non-body requests...
detab
For backends which are HTTP/1.1, do a quick test (ping) of the "connection" via 100-Continue for reverse proxies... ACO and Filip Hanik also helped out with the idea...
Use APR_STATUS_IS_TIMEUP instead of direct compare to APR_TIMEUP to
be more safe on different platforms.
Note: This commit has an additional, platform-independent change to
mark the back-end connection for closing ("backend->close = 1;").
That code is not required to resolve CVE-2010-2068 on any platform.
PR: 49417
Addresses CVE-2010-2068
- Be less verbose at levels INFO and DEBUG in mod_proxy* and mod_ssl - Add some trace logging to core and http
Use the new APLOG_USE_MODULE/AP_DECLARE_MODULE macros everywhere to take advantage of per-module loglevels
log remote server port in various places
mod_proxy_http: get the headers right in a HEAD request with ProxyErrorOverride.PR 41646 Analysis by Stuart Children; patch by niq
mod_proxy_http: Make sure that when an ErrorDocument is served from a reverse proxied URL, that the subrequest respects the status of the original request. This brings the behaviour of proxy_handler in line with default_handler. PR 47106.
fix or complain about some invalid errno references
Allow ProxyPreserveHost to work in <Proxy> sections PR: 34901
Return consistent error status for proxy unable to connect PR 46971
Security fix for CVE-2009-1890: * modules/proxy/mod_proxy_http.c (stream_reqbody_cl): Specify the base passed to apr_strtoff, and validate the Content-Length in the same way the HTTP_IN filter does. If the number of bytes streamed exceeds the expected body length, bail out of the loop. Thanks to: Toadie <toadie643 gmail.com> for reporting and diagnosis of this issue. Submitted by: niq, jorton
mod_proxy_http: fix case sensitivity checking transfer encoding PR 47383 [Ryuzo Yamamoto]
Fix IPv6 literal addresses passed to a proxied backend. PR 47177 Patch by Carlos Garcia Braschi
* Add SSLProxyCheckPeerExpire and SSLProxyCheckPeerCN directives to enable
stricter checking of remote server certificates.
(docs/manual/mod/mod_ssl.xml)
Documentation of SSLProxyCheckPeerExpire and SSLProxyCheckPeerCN.
(modules/proxy/mod_proxy_http.c)
Set the hostname of the request URL as note on the connection.
(modules/ssl/ssl_private.h)
Add proxy_ssl_check_peer_expire and proxy_ssl_check_peer_cn fields to
the SSLSrvConfigRec.
(modules/ssl/ssl_engine_config.c)
Directives stuff for SSLProxyCheckPeerExpire and SSLProxyCheckPeerCN.
(modules/ssl/ssl_engine_io.c)
Check whether the remote servers certificate is expired / if there is a
mismatch between the requested hostanme and the remote server certificates
CN field.
Be able to parse ASN1 times.
(modules/ssl/mod_ssl.c)
Directives stuff for SSLProxyCheckPeerExpire and SSLProxyCheckPeerCN.
use ap_log_rerror instead of r->server per niq's comments
pass a server_rec to ap_log_error on two interim response messages
* Rip out the old flushing approach for solving lifetime issues between the backend connection bucket allocator and front end connection bucket allocator. Instead copy the buckets from the backend over to ones that have been created using the front end bucket allocator. For metabucket this is done by recreating them, for data buckets this is done by reading them and putting the read data in a transient bucket. PR: 45792
Remove potential for memory leak... allocate on this request which is now viable due to connection pooling.
For timeouts, behave as before and not drop. From Adam Woodworth <mirkperl gmail.com>
comment tweak
* Introduce environment variable proxy-initial-not-pooled to avoid reusing pooled connections if the client connection is an initial connection. This avoids the "proxy: error reading status line from remote server" error caused by the race condition that the backend server closed the connection after the connection check on our side and before our data reached the backend. Yes, this downgrades performance, especially with HTTP/1.0 clients. Hence it is configurable and off by default. PR: 37770
move back to inner loop... fails otherwise
Patch for CVE-2008-2364...
* Do this later as we might leave the function anyway without the need for this.
* According to RFC 2616 8.2.3 we are not allowed to forward an Expect: 100-continue to an HTTP/1.0 server. Instead we MUST return a HTTP_EXPECTATION_FAILED.
* mod_proxy_http.c
Ensure that the EOC bucket is inserted BEFORE an EOS bucket in bb as
some resource filters like mod_deflate pass everything up to the EOS
down the chain immediately and sent the remainder of the brigade later
(or even never). But in this case the ap_http_header_filter does not
get out of our way soon enough.
http_filters.c
Remove all data buckets that are in a brigade after an EOC bucket
was seen, as an EOC bucket tells us that no (further) resource
and protocol data should go out to the client. OTOH meta buckets
are still welcome as they might trigger needed actions down in
the chain (e.g. in network filters like SSL).
Remark 1: It is needed to dump ALL data buckets in the brigade
since an filter in between might have inserted data
buckets BEFORE the EOC bucket sent by the original
sender and we do NOT want this data to be sent.
Remark 2: Dumping all data buckets here does not necessarily mean
that no further data is send to the client as:
1. Network filters like SSL can still be triggered via
meta buckets to talk with the client e.g. for a
clean shutdown.
2. There could be still data that was buffered before
down in the chain that gets flushed by a FLUSH or an
EOS bucket.
PR: 37770
Remove extra cruft that ended up in a commit.
core, mod_proxy: If a kept_body is present, it becomes safe for subrequests to support message bodies. Make sure that safety checks within the core and within the proxy are not triggered when kept_body is present. This makes it possible to embed proxied POST requests within mod_include.
Typo.
Set at init time, and combine comments
* Do not add the query string again in the case that we are using the unparsed uri. PR: 44803
handle ? in cases where nocanon is in effect
* In the case that we fail to read the response line from the backend and if we are a reverse proxy request shutdown the connection WITHOUT ANY response to trigger a retry by the client if allowed (as for idempotent requests). BUT currently we should not do this if the request is the first request on a keepalive connection as browsers like seamonkey only display an empty page in this case and do not do a retry. Related to PR 37770
* Fix comment. No functional change.
* Fix processing of chunked responses if Connection: Transfer-Encoding is set in the response of the proxied system. PR: 44311
*) mod_proxy_http: Return HTTP status codes instead of apr_status_t
values for errors encountered while forwarding the request body
PR 44165 [Eric Covener]
See also PR 31759 / r448711
* Enable the proxy to keep connections persistent in the HTTPS case. Basicly the persistence is created by keeping the conn_rec structure created for our backend connection (whether http or https) in the connection pool. This required to adjust scoreboard.c in a way that its functions can properly deal with a NULL scoreboard handle by ignoring the call or returning an error code.
Add option not to send&clear response headers in ap_send_interim_response. We'll need this option to fix PR#43711, and ap_send_interim_response is fortunately too new an API to have made it into anything stable.
mod_proxy: add "nocanon" keyword to ProxyPass, to suppress URI-canonicalisation in a reverse proxy. PR 41798
* modules/proxy/mod_proxy_http.c (ap_proxy_http_register_hook): Fix apr_pool_cleanup_register() invocation added in r583202, which was causing every apr_proc_create() call to segfault.
(forward) proxy should not be verifying/checking for valid chars in a URI... pass through.
Abstract out "verification of valid encoding" via ap_proxy_isvalidenc(). Now we can use it in other proxy protocols.
missing include!
mod_proxy_http: Don't unescape/escape forward proxied URLs. Just check them. PR 42592 also add fix to PR42572 to CHANGES (from r563487/r563489)
Purge tabs in r582631
mod_proxy_http: Correctly forward unexpected interim (HTTP 1xx) responses. PR 16518
No change, but they won't let me have foo (and ... this is the module with a function addit_dammit !!!)
Proxy: remove Warning headers with wrong date PR 16138
Fix typo in header name "Trailer"
Fix processing of Connection headers in proxy PR 43509
Fix adding out Via header in proxy response PR 19439
Strip hop-by-hop headers in proxy response
Formatting. No functional change.
Remove tabs.
Propagate Proxy-Authorization header correctly PR 25947 RFC2616 tells us: (1) If we haven't authenticated, we must pass the header on. (2) If we have authenticated, we MAY pass it on. I've made the latter case configurable by ENV(Proxy-Chain-Auth). Also, Proxy-Authenticate is a response header, and doesn't belong in a check of request headers.
Fix proxy-sendchunk(s|ed) problem PR 43183
proxy_http: don't wait for response body in a HEAD PR 41644 [Stuart Children]
create the brigate outside ap_proxygetline and reuse it. correct the overflow handling. (returning APR_ENOSPC was changing the behaviour).
Improve traces in ap_proxy_http_process_response(). That will help to investigate PR 37770. (errors from backend :-)).
HTTP proxy ProxyErrorOverride: Leave 1xx and 3xx responses alone. Only processing of error responses (4xx, 5xx) will be altered. PR: 39245 This is based on a patch submitted by Bart van der Schans <schans hippo.nl> and tweaked slightly by me based on discussions on dev@ since April 2006. I think rpleum was the first to mention the 1xx issue.
Re-add "proxy-sendextracrlf" first introduced in r157478 and silently removed in r219224.
* Handle request bodies larger than 2 GB by converting the Content-Length header string of the request correctly to apr_off_t. PR: 40883
Minor nit: why make the logic more complex than it needs to be ? :)
Cleanup: Remove close_on_recycle from proxy_conn_rec. It behaves the same as close.
update license header text
* server/core.c (default_handler): Use apr_brigade_insert_file() to append the file to the brigade. * server/protocol.c (ap_send_fd), modules/proxy/mod_proxy_http.c (spool_reqbody_cl), modules/cache/mod_mem_cache.c (recall_body), modules/cache/mod_disk_cache.c (recall_body), modules/mappers/mod_negotiation.c (handle_map_file), modules/generators/mod_asis.c (asis_handler), modules/dav/fs/repos.c [DEBUG_GET_HANDLER] (dav_fs_deliver), modules/arch/win32/mod_isapi.c (ServerSupportFunction): Likewise.
Update the copyright year in all .c, .h and .xml files
* Avoid calling ap_proxy_http_cleanup twice as this releases a connection
from the connection pool twice. This causes this connection to be present
in the connection pool twice. Thus it may be used by different threads
at the same time which causes many troubles (segfaults in this case).
Furthermore implement a logic to prevent double releases to the connection
pool if they are triggered by buggy code and log an error message in this
case.
- mod_proxy_http.c: remove double calls to ap_proxy_http_cleanup
- proxy_util.c: Add logic to prevent double releases of a
connection to the connection pool.
PR: 38793
* Disable persistent connections for SSL backends again as we do not handle them correctly, because we recreate backend->connection for each request and thus try to initialize an already existing SSL connection. Noticed by: Joe Orton
*) mod_proxy: Fix KeepAlives not being allowed and set to
backend servers. PR38602. [Ruediger Pluem, Jim Jagielski]
Also, document previous patch:
*) Correctly initialize mod_proxy workers, which use a
combination of local and shared datasets. Adjust logging
to better trace usage. PR38403. [Jim Jagielski]
* Use the correct pool for apr_table_copy. Otherwise we trigger the bad pool ancestry abort in apr_table_copy if apr is compiled with APR_POOL_DEBUG. Noticed by: Joe Orton
* Do not close the backend connection, because the client sent a Connection: close header. PR: 38524
* Do not remove the connection headers from r->headers_in. They are needed by the http output filter to create the correct connection response headers. Instead work on a copy of r->headers_in. PR: 38524
* Call ap_proxy_http_cleanup after ap_log_rerror because it resets backend->hostname to NULL.
* Correctly signal broken backend connections up the chain also for the ajp backend (see also r357461). Furthermore move common code in mod_proxy_http.c and mod_proxy_ajp.c into a new function (ap_proxy_backend_broke) in proxy_util.c. modules/proxy/mod_proxy_ajp.c : Signal broken backend connection for ajp backend modules/proxy/proxy_util.c : Add ap_proxy_backend_broke modules/proxy/mod_proxy_http.c: - Use ap_proxy_backend_broke - Return DONE also if backend broke modules/proxy/mod_proxy.h : Add declaration of ap_proxy_backend_broke
Morph the ap_http_broken_backend_filter() proxy "specific" filter to a generic http error handling output filter.
* If the mod_proxy backend connection broke in the middle of the response,
then
- Do not cache it.
- Signal the client that something went wrong by closing the connection
and not sending the last-chunk marker if the response was T-E chunked.
server/core_filters.c : Close the connection to the client by setting
c->keepalive to AP_CONN_CLOSE.
modules/http/chunk_filter.c : Do not send last-chunk marker in the case
the backend broke.
modules/proxy/mod_proxy_http.c: Signal that the backend connection broke.
modules/cache/mod_disk_cache.c: Respect r->no_cache for discarding the response
Submitted by: Roy T. Fielding, Jim Jagielski, Ruediger Pluem
Reviewed by: Roy T. Fielding, Jim Jagielski, Ruediger Pluem
* revert r355823 and r355837
* Move handling of backends that broke after the headers have been sent into the proxy handler of mod_proxy. This patch still sets r->connection->aborted to 1 which is currently vetoed by Roy. Moving it from the scheme handler to the proxy handler should ease the reimplementation of this, as the scheme handlers only needs to return PROXY_BACKEND_BROKEN to signal the above situation to the proxy handler. mod_proxy.h: Add define for PROXY_BACKEND_BROKEN mod_proxy.c: Handle PROXY_BACKEND_BROKEN in proxy handler mod_proxy_http.c: Sent back PROXY_BACKEND_BROKEN if backend broke after we sent the headers.
Add a comment and use proper grammar for another comment. (No functional changes.)
If we get an error reading the upstream response, we should bail. Reported by: Brian Akins
No functional Change: Removing trailing whitespace. This also means that "blank" lines consisting of just spaces or tabs are now really blank lines
* Fix PR37145 (data loss with httpd-2.0.55 reverse proxy method=post) by exchanging APR_BRIGADE_CONCAT with ap_save_brigade to ensure that transient buckets get setaside correctly between various iterations of ap_get_brigade calls. Reviewed by: Joe Orton, William Rowe, Jim Jagielski, Jeff Trawick
Fix ProxyPassReverse & family to work correctly in <Location>
* modules/proxy/mod_proxy_http.c (stream_reqbody_cl): Fix gcc warning.
Hopefully, address the last edge case where status may be uninitialized. Asserts in non-debug builds are bad things, anyways, so this is probably more correct. This should fix -Werror compile warning observed by Joe Orton.
Two blank lines for clarity; whitespace only change.
We already accept 80 bytes less than the client body's anticipated size, so we don't need to also prefetch an extra 1024 bytes; this was redundant.
Drop an impossible case; the while() loop already protected us from this situation.
Fix a double-termination case in svn trunk/; we terminated the headers up-front knowing the resulting headers were already correctly composed.
An impossible-to-hit edge case today; we described the request as chunked - and if chunked always send the body termination "0" chunk header. Roy's requested change that we always send a body we could read in full as a C-L request ensures this code wasn't triggered; some change in the future could again reveal this edge case.
* modules/proxy/mod_proxy_http.c (stream_reqbody_cl): Fix format string error. (ap_proxy_http_request): Restore default case in rb_method switch to fix gcc warnings.
Yet another snafu in body handling. We need to clearly avoid any ap_get_brigade or request body processing in every *subrequest* proxy action. The new code introduced more chaos because we read the request body irrespective of any bogus header handling bugs. This requires a goto, and yes, that sucks :) But this is one of those oddball cases where jumping away makes more sense than tons of indented code, IMHO. And if you count the number of goto's I've committed to httpd, you know I avoid them like the plague. I woulda' suggestd to jorton to take a flying carnal act, except that each time he points me back to the 2.0 patch, I catch another entirely bogus choice within the old/new httpd-2.x request body code :) I've bumped the 2.0 patch to correspond; see http://people.apache.org/~wrowe/httpd-2.0-proxy-request-4.patch
Fix broken while () {} loops (lingering code from the old logic),
closes an infinite loop in the most recent version. Init the cl_val
to prevent failure of zero length bodies in the most recent version.
Use 'request body' instead of 'data' to describe any errors.
Finally, loop around ap_get_brigade to grab multiple chunks that still
fall below our MAX_MEM_SPOOL threshold, since the chunk decoding from
the client will pass up just one small chunk per ap_get_brigade call.
On Roy's suggestion; why wait to try to clear out the input stream if it is smaller than MAX_MEM_SPOOL? Do this upfront before dispatching to a body handler. This means changing each of the three body pumps to presume a preexisting input_brigade was already loaded, so turn around their loop conditions.
Fix a style problem; b is ambigous (is it a brigade or bucket?) bb is far less ambigous.
leaving force-proxy-request-1.0 for broken clients, revert my patch for forcing an HTTP/1.0 proxy request, if the client request is HTTP/1.0, per Roy.
Missed an edge case; once we know the C-L didn't match, it's time to shut down the body already. Finish reading from the client but do nothing else, returning an error.
How can I fix thee? let me count the ways...
* pass a chunked body always (no-body requests don't go chunked).
* validate that the C-L counted body length doesn't change.
* follow RFC 2616 for C-L / T-E in the request body C-L / T-E
election logic.
* do not forward HTTP/1.0 requests as HTTP/1.1, unless the admin
configures force-proxy-request-1.1
* conn was illegible, use 2.0's p_conn.
Fix two fat-fingered typos from commit 216156. Code matches previous behavior now; time to start fixing.
send_request_body and indentation made it very difficult to follow all the mistakes in this code. Fold send_request_body into reindent to make the pattern clear and skip some extra string handling. Little functional change, that comes next.
End abuse of apr_strnat[case]cmp - it isn't str[case]cmp. Unsure if apr_strnatcasecmp(conf_ip, uri_ip) was intentional, on the off chance that the left or right hand ip string happens to contain leading zeros.
Fix a ton of wrong/silly indention, and clarify the fix-notes
proxy HTTP: If a response contains both Transfer-Encoding and a Content-Length, remove the Content-Length and don't reuse the connection, stopping some HTTP Request smuggling attacks.
* modules/proxy/mod_proxy_http.c (ap_proxy_http_process_response): Don't send an EOS after an interim response.
* modules/proxy/mod_proxy_http.c (ap_proxy_http_process_response): Fix a comment.
* modules/proxy/mod_proxy_http.c (ap_proxy_http_process_response): When there are only headers and no body, give the remainder of the output filters a chance by pushing an EOS bucket through the filter stack.
mod_proxy: Add proxy-sendextracrlf option to send an extra CRLF at the end of the request body to work with really old HTTP servers. * modules/proxy/mod_proxy_http.c (stream_reqbody_cl, spool_reqbody_cl): If proxy-sendextracrlf option is present, append a CRLF to the body stream that isn't counted against CL.
* modules/proxy/mod_proxy_http.c (ap_proxy_http_process_response): Fix spurious error at EOF. PR: 33615
If we rec' a bad response header line, ignore what we've rec'd so far and force BAD_GATEWAY.
Better handle the case where ProxyBadHeader StartBody is in effect and we think we've started reading in the response body. Take advantage of the fact that the line read is still in buffer (and document that) to allow us to add to the bb.
Update copyright year to 2005 and standardize on current copyright owner line.
Also translate Destination headers when ProxyPassReverse'd * modules\proxy\mod_proxy_http.c (process_proxy_header): reverse map Destination header. NOTE: This is some darn nasty looking code... * modules\proxy\ajp_header.c (ajp_unmarshal_response): reverse map Destination header.
Rename proxy modules.
* modules\proxy\mod_proxy_ajp.c
* modules\proxy\mod_proxy_balancer.c
* modules\proxy\mod_proxy_connect.c
* modules\proxy\mod_proxy_ftp.c
* modules\proxy\mod_proxy_http.c
Renamed from proxy_{ajp,balancer,connect,ftp,http}.c
* modules\proxy\mod_proxy_ajp.dsp
* modules\proxy\mod_proxy_balancer.dsp
* modules\proxy\mod_proxy_connect.dsp
* modules\proxy\mod_proxy_ftp.dsp
* modules\proxy\mod_proxy_http.dsp
Update references to renamed files.
* modules\proxy\NWGNUproxyajp
* modules\proxy\NWGNUproxybalancer
* modules\proxy\NWGNUproxycon
* modules\proxy\NWGNUproxyftp
* modules\proxy\NWGNUproxyhtp
Update references to renamed files.
proxy HTTP: Rework the handling of request bodies to handle chunked input and input filters which modify content length, and avoid spooling arbitrary-sized request bodies in memory. This is a merge of the proxy-reqbody branch into the trunk. Justin had the protocol issues resolved in 2.1-dev, but not the memory issue. The new implementation makes an effort to stream the request body whenever possible. Thanks to Allan Edwards for a critical bug fix, Greg Ames for some style corrections, Justin for a needed commentary addition, Jan Kratochvil for testing the analogous 2.0.x patch with the SonyEricsson P900 phone, and reviews by all these folks + JimJag. PR: 15859
Close PR 32459, 15207. API change for PROXY_DECLARE ap_proxy_canonenc()
* modules/proxy/proxy_http.c (ap_proxy_http_process_response): Handle aborted connections correctly: abort if c->aborted is set. * modules/proxy/proxy_ftp.c (proxy_ftp_handler): Likewise. PR: 32443 Submitted by: Janne Hietamäki, Joe Orton
Rewrite Cookies and other headers in mod_proxy_ajp as configured with
ProxyPassReverse and ProxyPassReverseCookiePath.
* modules/proxy/proxy_ajp.c
(ap_proxy_ajp_request): Update call to ajp_parse_header().
* modules/proxy/ajp.h
(ajp_msg_get_string): constify argument.
(ajp_parse_header): Add conf argument.
* modules/proxy/proxy_util.c
(ap_proxy_location_reverse_map): Promoted from mod_proxy_http.
(ap_proxy_cookie_reverse_map): Promoted from mod_proxy_http;
renamed from proxy_cookie_reverse_map.
* modules/proxy/ajp_msg.c
(ajp_msg_get_string): constify argument.
* modules/proxy/proxy_http.c
(ap_proxy_location_reverse_map, proxy_cookie_reverse_map: Removed.
(process_proxy_header): Update header mapping table to reference the now
public functions.
* modules/proxy/ajp_header.c
(ajp_unmarshal_response): And conf argument. Reverse map cookies and
other headers.
(ajp_parse_header): Update call to ajp_unmarshal_response().
* modules/proxy/mod_proxy.h
(ap_proxy_location_reverse_map, ap_proxy_cookie_reverse_map): Declare
functions that have been promoted to be public.
(ap_proxy_header_reverse_map_fn): Typedef for the signature of the above
two functions (currently used in mod_proxy_http).
mod_proxy: Fix a request corruption problem and a buffering problem which sometimes prevented proxy-sendchunks from working. strlen() couldn't be used since no space had been allocated for trailing NUL, so occasionally the T-E header field contained garbage and a 400 error would be returned by the origin server. The lack of a flush bucket after the final "0\r\n\r\n" was a showstopper for my simple tests (reverse proxy to Apache 1.3 + custom module which read the body).
"transfered" is not a word. s/transfered/transferred/g;
grammatical parameter change... "readed" -> "read"
Make proxy address cache thread safe and available only to pooled workers.
general property cleanup
* modules/proxy/proxy_http.c (ap_proxy_http_process_response): Don't treat the 205 status-code like 204 or 304, per recent http-wg discussion: http://lists.w3.org/Archives/Public/ietf-http-wg/2004JulSep/0083.html
* modules/proxy/proxy_http.c (ap_proxy_http_process_response): Use the standard non-blocking-read/flush/blocking-read logic to ensure that buffered content is flushed to the client if the next read will block. PR: 19954
Remove double calculation of tranfered bytes to backend.
Count the bytes trasfered and readed so we can display the actual data traffic, and add additional balancer mechanism that will use the data traffic into account.
* modules/proxy/proxy_http.c (proxy_http_handler, proxy_http_canon): Drop ap_ prefix, declarations and make static.
Always use prive connection pool for allocation, and call apr_pool_clear when the connection is closed on recycle, so that we don't leak on persistent connections.
If any of steps return status != OK close the connection and call the proxy_http_cleanup.
Fix a trio of bugs in how mod_proxy relays requests: - Fix type error in proxy-sendchunks case that caused an invalid T-E header. - Fix data corruption (seen with mod_ssl/mod_proxy combination) due to not properly setting aside the body_buckets. - Pass along a C-L: 0 if we still have a C-L of 0 after filtering and the original request to us had that as well.
Use ap_str_tolower for lowercasing the scheme. That was the original intention (not apr_tolower).
apr_tolower() doesn't process the entire string
Make sure that the things get logged using the same look-and-feal. Also fix the return code from DECLINED to service unavailable if the connection breaks. Submitted by: mturk
Always use the cleanup. Do not close the socket directly. Submitted by: mturk
Fix the assertion bug for reslist caused by returning the same connection back to the pool twice. Submitted by: mturk
We have a proxy-http using connection pool ;) Need some thorough testing. Submitted by: mturk
fix a bunch of compiler warnings
*** Patch for EBCDIC-host and HTTP/0.9 responses only *** In dealing with a HTTP/0.9 response to a proxy request, we have pre-read data that is not an HTTP header. At this point of processing, we don't know yet whether the data is going to be interpreted an binary or not. (In fact, we may never find out because HTTP/0.9 lacks the Content-Type headers; only by configuring mod_charset_lite can we control the conversion). But mod_charset_lite will get control only later, so it cannot decide on the conversion of the current buffer full of data. => This is an extreme and rare situation normally. So, for catching the most obvious problem (talking not to a HTTP server but to some other protocol), the best guess here is to treat the buffer as "text/*" (to make error messages readable).
Fix for multiple proxy bugs - review please: #10722 Reverse proxying cookies #15207 Proxy passing canonicalised URIs to backend #16812 Case-insensitivity of proxypassreverse #19317 Canonicalised URI causing infinite loop #20372 AllowEncodedSlashes May also fix 13577 (untested) This is really two fixes: 10722 and 15207; the others are trivial consequences. To make review easier, the simpler fix (#15207) is entirely contained in #ifdef FIX_15207 (new code) and #ifndef FIX_15207 (removed code)
Fix handling of IPv6 numeric strings in mod_proxy. (Some such operations would work if port was specified in url due to way parsing was performed, finding last ':' and considering everything after as the port.)
*** empty log message ***
* modules/proxy/proxy_http.c (ap_proxy_http_process_response): Consistently check whether r->status is "successful" or not; fix screwy handling of 2xx-but-not-200 responses when ProxyErrorOverride is used. PR: 20183 Submitted by: Marcus Janson <marcus.janson@tre.se>, Joe Orton
fix name of The Apache Software Foundation
fix copyright dates according to the first check in
apply Apache License, Version 2.0
If the proxy was enabled, and UseCanonicalHostname was off, then the Via: header would report not the proxy hosts's ServerName (or any of its configured VHosts's names) as it should, but the *origin hosts*'s name. Now it reports its ServerName.
* modules/proxy/proxy_http.c (ap_proxy_http_process_response): Handle all 1xx interim responses the same, one of the two 2616 compliance issues in PR 19442.
Cosmetic change (I dislike 'known-constant-minus-one' literal numbers): The ap_is_HTTP_INFO() macro checks for values in the 100...199 range, and is a better readable replacement for the value 199.
mod_proxy hangs when both KeepAlive and ProxyErrorOverride are enabled, and a non-200 response without a body is generated by the backend server. Submitted by: Graham Wiseman, Richard Reiner Reviewed by: Richard Reiner, Bill Stoddard
update license to 2004.
mod_proxy with ProxyErrorOverride On in a reverse-proxy configuration attaches a body to the 302 response and a wrong Content-Length header. PR: 22951 Submitted by: Ermanno Scaglione <scaglione ..at.. starnetone.de> Reviewed by: Blaise Tarr <blaise.tarr .. at .. cnet.com>
Fix format string warnings from gcc on amd64: * modules/ssl/ssl_scache_dbm.c (ssl_scache_dbm_store): Print apr_size_t using APR_SIZE_T_FMT. * modules/ssl/ssl_engine_io.c (ssl_filter_write): Print difference between sizes using APR_SSIZE_T_FMT, apr_size_t using APR_SIZE_T_FMT. * modules/proxy/proxy_http.c (ap_proxy_http_request): Print apr_uint64_t using APR_UINT64_T_HEX_FMT.
Fix memory leak in handling of request bodies during reverse proxy operations. PR: 24991 Submitted by: Larry Toppi <larry.toppi citrix.com> Reviewed by: Jeff Trawick
* proxy_http.c (ap_proxy_http_process_response): Send a valid status-line even if the parsed status-line had no trailing spaces. Remove the warning for this case as triggers for valid status-lines too. PR: 23998
switch to APR 1.0 API (which is still in flux) because of the changes to the argument lists of apr_mmap_dup and apr_socket_create, 2.1-dev won't build with apr and apr-util's 0.9 branch anymore
Silence a compiler warning.
Clarify an error message PR: Obtained from: Submitted by: Reviewed by:
Correct some indenting PR: Obtained from: Submitted by: Reviewed by:
finished that boring job: update license to 2003. Happy New Year! ;-))
Rewrite how proxy sends its request to allow input bodies to morph the request bodies. Previously, if an input filter changed the request body, the original C-L would be sent which would be incorrect. Due to HTTP compliance, we must either send the body T-E: chunked or include a C-L for the request body. Connection: Close is not an option.
mod_proxy: Don't remove the Content-Length from responses
When doing a GET of a proxied URL as a subrequest within a POSTed request, don't send the original POST's Content-Length as part of the header for the GET.
Fix a segfault when the client closes the connection prematurely. Reported by: Fabio Wakim Trentini Reviewed by: Bill Stoddard
add some parens to quiet a gcc warning: proxy_http.c:866: warning: suggest parentheses around assignment used as truth value
Make sure the contents of the WWW-Authenticate header is passed on a 4xx error by proxy. Previously all headers were dropped, resulting in the browser being unable to authenticate. PR: Obtained from: Submitted by: Dr Richard Reiner <rreiner@fscinternet.com>, Richard Danielli <rdanielli@fscinternet.com>, Graham Wiseman <gwiseman@fscinternet.com>, David Henderson <dhenderson@fscinternet.com> Reviewed by: Graham Leggett
Add A warning when servers don't set their status line PR: Obtained from: Submitted by: Reviewed by:
fix the case when a server doesn't send a response string Submitted by: Brett Hutley <brett@hutley.net> J.D. Silvester <jsilves@uwo.ca>
Fix proxy so that it is possible to access ftp: URLs via a proxy chain. PR: Obtained from: Submitted by: Peter Van Biesen <peter.vanbiesen@vlafo.be> Reviewed by: Graham Leggett <minfrin@apache.org>
Timeout/time fixes
Renames Pending: This clears the list of renames pending in apr-util. Parts of this list was alreadu done, but the pending list hadn't been updated. apr_hook_debug_current from apr_current_hooking_module apr_hook_debug_show from apr_show_hook apr_hook_global_pool from apr_global_hook_pool apr_hook_sort_all from apr_sort_hooks apr_uri_port_of_scheme from apr_uri_default_port_for_scheme apr_uri_unparse from apr_uri_unparse_components apr_uri_parse from apr_uri_parse_components apr_uri_parse_hostinfo from apr_uri_parse_hostinfo_components apr_uri_t from apr_uri_components All APR_URI_* from all APU_URI_* symbols All APR_UNP_* from all UNP_* symbols PR: Obtained from: Submitted by: Thom May Reviewed by:
Change conn_rec->keepalive to an enumerated value of AP_CONN_UNKNOWN AP_CONN_CLOSE AP_CONN_KEEPALIVE This also fixes a problem where ap_discard_request_body would not discard the body when keepalive was 0. This actually meant the keepalive status was unknown *not* closed, but no one ever remembered that. This problem was seen with mod_dav sending error responses (as reported by Karl Fogel). Suggested by: Greg "this isn't the '80s" Stein Reviewed by: Greg Ames
No crutches, people!
Cleanup proxy timeouts a bit to remove emits and make consistent to vhost timeout.
add 2 new enviornment variables to deal with misbehaving backends "proxy-nokeepalive" which removes the Connection: line completely "force-proxy-request-1.0" which forces the request to be HTTP/1.0 this allows apache to reverse proxy misbehaving appservers
Switch mod_proxy to using the brigade/filter calls directly rather than the *_client_block calls.
Add a PROXYREQ_RESPONSE value for request_rec->proxyreq because it is possible that there can be different behavior at the protocol level if request_rec isn't really a request but a response. This stems from the fact that request bodies must be indicated by Content-Length or Transfer-Encoding, but response bodies do not. The recent change to ap_http_filter to return EOS if there isn't a body broke proxy. Therefore, there must be some way for the proxy to indicate that this is a response. Accordingly, ap_http_filter can allow the BODY_NONE iff this is a response. Since r->proxyreq is set to PROXYREQ_PROXY even for the original request from the client, that value isn't sufficient. Hence, the introduction of PROXYREQ_RESPONSE.
stop using APLOG_NOERRNO in calls to ap_log_[pr]error()
get basic HTTP proxy working on EBCDIC machines (I would bet that there is more work to do throughout proxy, but at least it can serve some pages now)
Proxy was bombing out every second keepalive request, caused by a stray CRLF before the second response's status line. Proxy now tries to read one more line if it encounters a CRLF where it expected a status. PR: 10010 Obtained from: Submitted by: Reviewed by:
PR: Obtained from: Submitted by: Daniel Lopez <daniel@covalent.net> Reviewed by: dougm, rbb add optional fixup hook to proxy
fix ProxyPass when frontend is https and backend is http
PR: Obtained from: Submitted by: Reviewed by: Ryan Bloom remove flush bucket from ap_proxy_http_process_response. this allows for the response content-length header to be properly calculated/inserted.
PR: Obtained from: Submitted by: Reviewed by: Ryan Bloom remove call to ap_proxy_reset_output_filters() and the function itself. this call breaks ssl proxy when the client is using keepalives. this function is also no longer needed with recent-ish filter changes.
ap_proxy_http_request needs to check the return status of ap_pass_brigade
check the return value of ap_proxy_ssl_enable
BUCKET FREELISTS Add an allocator-passing mechanism throughout the bucket brigades API. From Apache's standpoint, the apr_bucket_alloc_t* used throughout a given connection is stored in the conn_rec by the create_connection hook. That means it's the MPM's job to optimize recycling of apr_bucket_alloc_t's -- the MPM must ensure that no two threads can ever use the same one at the same time, for instance.
hook into mod_ssl for https support
Change the header merging behaviour in proxy, as some headers (like Set-Cookie) cannot be unmerged due to stray commas in dates. PR: Obtained from: Submitted by: Reviewed by:
Commit 1 of 2 to: 1. rename ap_rset_content_type to ap_set_content_type 2. reverse the arguments on the call to aligh with ap_set_content_length
First commit to introduce accessor function to set r->content_type..
Update our copyright for this year.
New directive ProxyIOBufferSize. Sets the size of the buffer used when reading from a remote HTTP server in proxy. Modify receive/send loop in proxy_http and proxy_ftp so that should it be necessary, the remote server socket is closed before transmitting the last buffer (set by ProxyIOBufferSize) to the client. This prevents the backend server from being forced to hang around while the last few bytes are transmitted to a slow client. Fix the case where no error checking was performed on the final brigade in the loop. PR: Obtained from: Submitted by: Reviewed by:
implement a common function for getting a socket and trying to connect
to the target host; use that common function for proxy HTTP and proxy
CONNECT
In that new function, fix this problem:
Proxy HTTP and CONNECT: Keep trying other addresses from the DNS
when we can't get a socket in the specified address family. We may
have gotten back an IPv6 address first and yet our system is not
configured to allow IPv6 sockets.
An example host is www.ipv6.org. The first address I get back is
an IPv6 address, but my machine may not be configured to allow an
AF_INET6 socket.
Before the fix: The apr_socket() failure was fatal.
After the fix: When apr_socket() fails, we go to the next address from
the resolver, successfully create a socket in the
specified family (AF_INET), and all is well.
(an unrelated fix in this commit was to pass a server_rec in a broken
ap_log_error() call)
fix typo in ap_proxy_http_canon: s/https:/https/
Some browsers ignore cookies that have been merged into a single Set-Cookie header. Set-Cookie and Set-Cookie2 headers are now unmerged in the http proxy before being sent to the client. Fix a problem with proxy where each entry of a duplicated header such as Set-Cookie would overwrite and obliterate the previous value of the header, resulting in multiple header values (like cookies) going missing. PR: Obtained from: Submitted by: Reviewed by:
send a 'bad-gateway' when a invaild response flys in
Remove the install_transport_filters hook. The same function can be acheived with the pre_connection hook. I have added the socket to the pre_connection phase to make this possible. Reviewed by: Bill Stoddard
Reintroduce the create_connection hook. This hook is required to enable modules to completely take over all network i/o from the core.
add a ProxyTimeout directive
In the debug log, say 'decline' instead of 'reject' when DECLINEing
Cleanup some fallout from the recent install_transport_filters commit. Deprecate ap_proxy_pre_http_connection.
new directive 'ProxyPreserveHost' which allows the incoming host line to be sent to the proxied server. Submitted by: g.russell@ieee.org (1.3 version) Reviewed by: Ian Holsman/Graham Legget/Chuck Murcko
Remove the create_connection hook and put the client_socket back into the conn_rec. The create_connection_hook has a design flaw that prevents it from making decisions based on vhost information.
Change ap_get_brigade prototype to remove *readbytes in favor of readbytes. If you need the length, you should be using apr_brigade_length. This is much more consistent. Of all the places that call ap_get_brigade, only one (ap_http_filter) needs the length. This makes it now possible to pass constants down without assigning them to a temporary variable first. Also: - Change proxy_ftp to use EXHAUSTIVE mode (didn't catch its -1 before) - Fix buglet in mod_ssl that would cause it to return too much data in some circumstances
Input filtering prototype change: Socket blocking type should be separate from the input filter mode type. We also no longer look at readbytes to determine the method of filter operation. This makes the use of filters more obvious and allows a wider range of options for input filters modes. To start with, the new input filter modes are: AP_MODE_READBYTES (no more than *readbytes returned) AP_MODE_GETLINE (old *readbytes == 0 case) AP_MODE_EATCRLF (old AP_MODE_PEEK) AP_MODE_SPECULATIVE (will be used in a future ap_getline rewrite) AP_MODE_EXHAUSTIVE (old *readbytes == -1 case) AP_MODE_INIT (special case for NNTP over SSL) The block parameter is an apr_read_type_e: APR_BLOCK_READ, APR_NONBLOCK_READ This also allows cleanup of mod_ssl's handling in the getline case. Reviewed by: Ryan Bloom (concept), Greg Stein (concept)
Fix a couple of mod_proxy problems forwarding HTTP connections:
(1) PR #9190 It failed to connect to IPv6 hosts.
(2) It failed to connect when the first IP address returned by
the resolver was unreachable but a secondary IP address was.
PR: 9190 (partly)
Keep my comments to myself.
Use ap_getline() in favor of ap_proxy_string_read() in ap_proxy_http_process_response().
Fix mod_proxy seg fault when the proxied server returns an HTTP/0.9 response or a bogus status line. Submitted by: Adam Sussman Reviewed by: Bill Stoddard
Prevent mod_proxy from truncating one character off the end of the status line returned from the proxied server. Note that buffer is NULL terminated by the call to ap_proxy_string_read() so there is no need to terminate it again. Submitted by: Adam Sussman Reviewed by: Bill Stoddard
Change the call to be blocking to eliminate a loop caused when the upstream host does not send any bytes back our way.
Remove an extra semi-colon. PR: Obtained from: Submitted by: Reviewed by:
get proxy in sync with the update to ap_run_create_connection
Add extra If-XXX request headers to be ignored in subrequests Allow cache-control header to get passed to subrequests tabs -> spaces Submitted by: Ian Holsman
Only do keepalives (and keep state on the connection record) if this request is the top-level page. Do not pass If-XXX-Since headers to the r-proxied server on a subrequest, and we can't handle a 30X response
Quiet a compiler warning.
Get the proxy module compiling again. This is a hack to get past the current compiler errors. Basically, the core now puts the socket in the conn_rec->conn_config vector. The proxy grabs that socket and uses it where it used to use the client_socket field from the conn_rec. Long-term, all of the direct socket communication needs to be removed, and this should go through a filter stack. Short-term, this gets the proxy working again. I have tested http and connect, but I haven't looked at the FTP proxy, although it does compile now.
Remove the returned-length "w" parameter from apr_bucket_heap_create() and apr_bucket_heap_make(). It was useless, since the length is invariant from the length passed in and from the resulting bucket's b->length. This takes care of a long-standing issue first brought up in February and discussed on the dev@apr list. (Issue #2 from the "Bucket API Cleanup Issues" thread.) See http://marc.theaimsgroup.com/?l=apr-dev&m=98324983126666&w=2 Reviewed by: Ryan Bloom (concept)
This patch changes the apr_table_elts macro so that it provides access to the internals of an apr_table_t via a const pointer instead of the current non-const pointer. Submitted by: Brian Pane <BPane@pacbell.net> Reviewed by: Ian Holsman
Fix so that errordocument works when a error gets returned from the proxy. Problem was ErrorHandler thought it was in some kind of recursion and couldn't find the custom error document Obtained from: Jin Hong <jinh@cnet.com> Submitted by: Reviewed by: Ian Holsman
Fix a truncation bug in how we print the port on the Via: header. The routine that prints the Via: header now takes a length for the port string. Submitted by: Zvi Har'El <rl@math.technion.ac.il>
Fix the first bucket not getting chunked properly. The reason was that we left the TE header in the output headers, so ap_set_keepalive didn't set r->chunked to 1. So, ap_http_header_filter wouldn't insert CHUNK filter appropriately. I have no clue how it chunked anything at all before this patch, but hey, it looks right now. Tested with Yahoo, Apple, apache.org, and /. /. is interesting in that it sends both Conn: Close and TE: chunked.
Lose the magic number and use the central #define AP_IOBUFSIZE. Hey, I've never seen it in actual use anywhere, so I didn't know. Thanks to Roy for pointing it out.
Teach mod_proxy to live with the new filtering scheme. Tested with www.yahoo.com (Conn: Close), www.apache.org (CL), and www.apple.com (TE: Chunked).
dechunking filter removed. add HTTP_IN filter after the headers have been parsed. so that the HTTP_IN can check them ;-) Still not 100% if this works properly, but I don't get the chunking numbers displayed on my browser, so it's better than what was there. PR: Obtained from: Submitted by: Reviewed by:
initial port of new Request-mode HTTP_IN filter to proxy. Status: It serves a reverse-proxy page.. but SLOWLY. VERY SLOWLY. still looking at why, but now it serves pages instead of dumping core. PR: Obtained from: Submitted by: Reviewed by:
Some style cleanups related to the ProxyErrorOverride function. PR: Obtained from: Submitted by: Reviewed by:
Immortal data should go in an immortal bucket, not a pool bucket. It would still work in a pool bucket, but only by coincidence. At the very least, a pool bucket is way more overhead than this poor unsuspecting little CRLF needs to get by.
change command name so that it starts with 'Proxy' fix the command so that it returns 'OK' instead of 'HTTP_OK' PR: Obtained from: Submitted by: Reviewed by:
Clean up a compile warning on AIX.
Added New Option 'HTTPProxyOverrideReturnedErrors' which lets the server override the error pages returned from the proxied server and replace them with the standard server error handling on the main server. Reviewed by: Graham, Chuck
Undo another int type'ed port (and format a little structure for legibility).
adjust to apr_uri_ rename Submitted by: dougm@apache.org Reviewed by: ianh@apache.org
MSVC can't seem to handle
int buffer_len = 1;
char test_buffer[buffer_len];
initialize some values on variable creation Submitted by: John Barbee <barbee@veribox.net>
Fix behavior in the event that a socket is closed. Submitted by: barbee@veribox.net Reviewed by: orlikowski@apache.org
Fix a char * vs char ** mixup... Submitted by: barbee@veribox.net
Break http_proxy_handler into multiple smaller functions. Submitted by: John Barbee <barbee@veribox.net>
Make the body read in proxy http handler nonblocking. There's no sense in serializing 4-8 client connections into a single origin server connection, as is the blocking behavior. Added instrumentation that we don't want compiled in normally to assist in debugging chunking problems. apr_get_brigade is apparently blocking during chunked body fetch, or proxy_http_handler is getting deadlocked with the dechunk filter. Show PID for prefork debugging. We'll figure out getting TIDs later.
Fix the proxy when the origin server sends back a 100 Continue response. [John Barbee <barbee@veribox.net>]
change readbytes from a apr_size_t to a apr_off_t to match the parameter required in ap_get_brigade Submitted by: barbee@veribox.net Reviewed by: ianh@apache.org
Add a timeout when making connections from within the proxy. Now, if someone wants to add a special scoreboard state for proxy attempting to make connection, be my guest.
Both the ftp and http proxies were erroneously sending a flush bucket after an eos bucket. This had been put in place to repair a bug, but was covering the symptoms, rather than providing the cure. Bug repaired, and kludge removed. Submitted by: barbee@veribox.net
Being slightly picky: properly namespace protect make_fake_req()
Remove APR_NO_INHERIT as it is now private. sigh... the cost of being bleeding edge PR: Obtained from: Submitted by: Reviewed by:
Change the APR_INHERIT flag to APR_NO_INHERIT,which is the default (as recommended by rbb) PR: Obtained from: Submitted by: Reviewed by:
applies change in APR function apr_socket_create, which added a new parameter. I defaulted these to APR_INHERIT. Also.. the connection-close was being merged, insted of 'set' PR: Obtained from: Submitted by: Reviewed by:
Last Log entry was bogus. Changed to 'setting' the X-Forwarded-Server X-Forwarded-Host X-Forwarded-For headers instead of merging them PR:
PR:
Remove a couple of extraneous calls to apr_brigade_cleanup()
Fix abort code path for HTTP proxy. Similar to Victor's patch for FTP proxy. No, Julia, it really *is* a double negative.
Use apr-util's date functions now
YAPJBUJ. (Yet Another Proxy Janitor Botched-Up Job). Need to be looking for APR_SUCCESS here, not HTTP_OK. Obtained from: Justin Erenkrantz
Bletch. The Proxy Janitor botches the job again. Thanks to Ian Holsman for the catch.
Fixes to proxy, after util-uri move, plus fixes to the .mak file.
Allows Mod_proxy to be dynamically loaded on win32 systems PR: Obtained from: Submitted by: ianh Reviewed by: Chuck Murcko, Graham
Shut the compiler up.
Crikey.
Track Greg's change to byte count for input filters
Stopped the HTTP proxy from trying to read entity bodies when there wasn't one (response was 1xx, 204, 205 or 304). PR: Obtained from: Reviewed by:
Made the variable naming the same as everywhere else in Apache for the ap_get_brigade() fix. PR: Obtained from: Reviewed by:
Sometimes, boys and girls, pointers and integers *aren't interchangeable.
Apply changes to ap_get_brigade() to the proxy code. PR: Obtained from: Reviewed by:
Made sure dates were canonicalised correctly when passed to the client browser through the HTTP proxy. PR: Obtained from: Reviewed by:
Split each individual proxy protocol into separate modules. PR: Obtained from: Reviewed by:
Make hooks work for the *_canon() functions. Work continues. PR: Obtained from: Reviewed by:
Initial support for proxy protocol handler sub-modules. Work continues. PR: Obtained from: Reviewed by:
Fixed all the APR error codes to make sure they end up in the logfiles PR: Obtained from: Submitted by: Reviewed by:
FTP directory filter works now. Many FIXME notes added. Much overhauling of proxy_ftp.c PR: Obtained from: Reviewed by:
Fixed some thread-safety issues with the HTTP proxy in mod_proxy. PR: Obtained from: Reviewed by:
Small fixes. PR: Obtained from: Reviewed by:
A client POST request would be read entirely into RAM before sending it on the client - a potential DoS. Fixed. PR: Obtained from: Reviewed by:
Make sure the filter stack in a reused downstream connection is reset so we don't get lots of DECHUNK filters when we don't want them. PR: Obtained from: Reviewed by:
We now keep the entire conn_rec across downstream keepalives, not just the socket. Made the "keepalive mismatch" message more accurate. PR: Obtained from: Reviewed by:
Memory allocation cleanups PR: Obtained from: Reviewed by:
Change HTTP proxy to use ap_proxy_string_read() instead of apr_brigade_read() to make sure all the buckets are read... PR: Obtained from: Reviewed by:
HTTP_VERSION() is the correct way to do this... PR: Obtained from: Reviewed by:
Add #defines for protocol version checks... PR: Obtained from: Reviewed by:
Downstream keepalives in mod_proxy should not kick in if the upstream client is < HTTP/1.1 PR: Obtained from: Reviewed by:
Sockets weren't being closed if the proxy could not connect to a remote machine... PR: Obtained from: Reviewed by:
Fixed problem where the port was left at zero on requests instead of being set to the default scheme port 80 PR: Obtained from: Reviewed by:
Bugfixes to proxy_ftp.c -> in some places uri_addr was used instead of connect_addr - all hail cut and paste! PR: Obtained from: Submitted by: Reviewed by:
Converted send_dir() to ap_proxy_send_dir_filter() in proxy_ftp.c. Fixed up the header files PR: Obtained from: Submitted by: Reviewed by:
More pool allocation errors. The apr_sockaddr_t structures connect_addr and uri_addr were getting allocated out of the wrong pool (one of the request pools) when they were expected to stick around for the life of the socket. Further, the default pool to be used should have been the connection pool in the request_rec.
Cleanup of dead functions within proxy_util.c. PR: Obtained from: Reviewed by:
Reworked the storage of the client socket between keepalive connections to fix some nasty problems with the socket lasting longer than the memory pool it was allocated from. PR: Obtained from: Reviewed by:
Some code rewriting in ap_proxy_connect_handler(): *) Fixed bug where a hostname without a "." in it (such as "localhost") would not trigger an IP address check with ProxyBlock. *) Fixed ProxyBlock bugs with ap_proxy_http_handler() and ap_proxy_connect_handler(). *) Updated ap_proxy_connect_handler() to support APR, while moving some common code between http_handler and connect_handler to proxy_util.c. PR: Obtained from: Reviewed by:
Fixing a few compiler warnings with mod_proxy PR: Obtained from: Reviewed by:
Fixed problem where responses without entity bodies would cause the directly following proxy keepalive request to fail. PR: Obtained from: Reviewed by:
*) Added support for downstream keepalives in mod_proxy. *) Changed mod_proxy ap_proxy_http_handler() to support APR properly. PR: Obtained from: Reviewed by:
Header Bugfix / General Cleanups in ap_proxy_http_handler / X-Forwarded-* headers PR: Obtained from: Reviewed by: Chuck Murcko
reorganize STATUS; update copyright
Pull in the Connection handling part of the v1.3 patch for HTTP/1.1. Some preliminary HTTP/1.1 work Some comments and fixes PR: Obtained from: Reviewed by:
Cache removed, with other spooge PR: Obtained from: Submitted by: Reviewed by:
Fix any compile breaks after moving apr_snprintf and apr_vsnprintf to apr_strings.h
renaming various functions for consistency sake see: http://apr.apache.org/~dougm/apr_rename.pl PR: Obtained from: Submitted by: Reviewed by:
Changes to get running on the current codebase PR: Obtained from: Submitted by: Reviewed by:
ap_new_connection() returns NULL if an error occurred (prefork MPM and ap_new_connection() were changed last week) I have skipped putting the change into WinNT MPM and mod_proxy. I left a note in the mod_proxy code; for the NT MPM I think I can talk somebody into doing the right thing for me.
The big change. This is part 3 of the apr-util symbols rename, please see the first commit of srclib/apr-util/include (cvs apr-util/include) for the quick glance at symbols changed.
Get rid of ap_new_apr_connection(). ap_new_connection() now has fewer parameters: the local and remote socket addresses were removed from the parameter list because all required information is available via the APR socket. I haven't tested the most important part -- the WinNT MPM changes -- but it compiles and it looks okay :) If the WinNT MPM works on Win98 these days let me know.
Call apr_create_socket() instead of apr_create_tcp_socket() (deprecated).
Begin to remove some of the cache-ing logic from the http proxy.
More proxy fixes. There are still some bugs in this code, but this has successfully proxied www.yahoo.com and www.ntrnet.net among other test sites that I chose at random.
This removes all BUFF's from the HTTP proxy. This code is relatively ugly, but it does proxy pages. This even fixes the content-type bug that I introduced yesterday sometime. As soon as BUFF is removed from the FTP proxy, the buff.c and buff.h files need to go away.
Make the proxy work with filters. We are still using BUFF for the back-end communication, but BUFF has been removed from the communication with the client. The headers are not working correctly yet, but we are making progress. The most important part of this commit is that we are able to actually filter data coming from the proxy.
Changes for previous ap_proxy_doconnect() calling PR: Obtained from: Submitted by: Reviewed by:
The whole proxy compiles cleanly now. Now we need to make it actually work again, but at least we are making progress.
proxy_ftp and proxy_http both compile now. Not tested because the rest of the proxy is still not compiling, but we are making progress.
This is the 1.3.x current proxy into 2.0 - first stage PR: Obtained from: Sam Magnuson Submitted by: Chuck Murcko Reviewed by:
Remove all compiler warnings from the proxy code. There are no garauntees that this still works, but most of the changes were just const-safeness changes. PR: 6631
Remove IOLs from Apache. They are no longer necessary, now that we have filtering beginning to work. There is a hack that has been repeated through this patch, we morph a pipe into a socket, and put the socket into the BUFF. Everytime we do that, we are working with a pipe from a CGI, and we should be creating a pipe bucket and passing that bucket back. Because we don't actually have pipe buckets yet, we are using this hack. When we get pipe buckets, this will be fixed.
Remaining cleanup of ap_ -> apr_ and AP_ -> APR_ transformation... see src/lib/apr/apr_compat.h for most details. Also a few minor nits to get Win32 to build. PR: Obtained from: Submitted by: Reviewed by:
prefix libapr functions and types with apr_
Remove iol_socket.h. This file had one declaration, and it makes more sense for that declaraion to move to ap_iol.h. This also modifies all of the files that include iol_socket.h to include ap_iol.h
Combine some common code. Before this, all platforms implemented their own iol_sockets using APR. This just combines all of that code to a common file and moves that file to main. I have tested this with all of the Unix MPM's, but I am willing to bet I missed something (Makefiles) for Windows, and possibly moving some code for OS/2 and BeOS.
fixups for remaining current warnings Submitted by: Chuck Murcko
OK, this builds and is autoconf safe about system headers, until it starts using APR PR: Obtained from: Submitted by: Chuck Murcko Reviewed by:
New mod_proxy/mod_cache (file cache) for 2.0. This uses a caching API so that shared mem, LDAP servers, DBs, etc. can also be used for proxy caching. The caching API is very young, and subject to change as APR changes. proxy_cache.c from the proxy subdir is no longer used. Build with --enable-modules=proxy,cache Lightly tested on Linux, no warranties expressed or implied yet. Still to do: strerror(), waitpid(), stat() cleanups address issues marked by @@@FIXME add HTTP/1.1 This should be considered a *reference* proxy implementation for 2.0. What actually ends up shipping with 2.0 is likely going to be rather different as the redesign evolves. This may end up being the 2.0 backwards compatibility workalike. Modified to work with today's conf/build/layout scheme PR: Obtained from: Submitted by: Sam Magnuson Reviewed by: Chuck Murcko
Remove all occurances of strerror from Apache. ap_strerror works just fine with standard errno values, and it is more portable. This also allows me to remove the check for strerror from Apache's configure script.
Change ap_context_t to ap_pool_t. This compiles, runs, and serves pages on Linux, but probably breaks somewhere.
Update to Apache Software License version 1.1
Fix all the License issues. Including: s/Apache Group/Apache Software Foundation/ s/1999/2000/ s/Sascha's license/ASF license
Changed pools to contexts. Tested with prefork and pthread mpm's. I'll check this out tomorrow and make sure everything was checked in correctly.
Changes from pthreads. Removes timeouts, adds mutex. This probably breaks the proxy on everything but pthreads. Submitted by: Bill Stoddard
Apache 1.3.9 baseline for the Apache 2.0 repository. Obtained from: Apache 1.3.9 (minus unused files), tag APACHE_1_3_9 Submitted by: Apache Group
This form allows you to request diffs between any two revisions of this file. For each of the two "sides" of the diff, enter a numeric revision.
| infrastructure at apache.org | ViewVC Help |
| Powered by ViewVC 1.1.26 |