Re: [VOTE] access control for dynamic hosts

2016-03-09 Thread fabien 


Hello Yann,


+1: Mario Brandt, Yann Ylavic


I think you can go ahead, trunk is in CTR (Commit Then Review) mode.


Ok, I'll do a last check and commit soon.

--
Fabien.

Add ?? mod_proxy_http2 for NetWare build - Take 3 - Very close now!

2016-03-09 Thread NormW 

G/M
Thanks Stefan for all the help so far.
A build of httpd-trunk this morning shows the followning tweaks are 
still required:


- The additional exports in the two NWGNU files are for recent changes 
to mod_proxy_http2;
- The httpd_module export is already included in mod_http2.imp and neeed 
not be in the list also;

- By means unknown the

-   @$(OBJDIR)/mod_http2.imp \
acquired 4+ trailing spaces after the backslash character and thus Make 
would ignore the backslash and spit the dummy on the following line;

- mod_proxy_http2.c still needs the double quotes tweak.


Index: modules/http2/NWGNUmod_http2
===
--- modules/http2/NWGNUmod_http2(revision 1734307)
+++ modules/http2/NWGNUmod_http2(working copy)
@@ -260,8 +260,7 @@
 # Any symbols exported to here
 #
 FILES_nlm_exports = \
-   http2_module \
-   @$(OBJDIR)/mod_http2.imp \
+   @$(OBJDIR)/mod_http2.imp \
$(EOLIST)

 #
@@ -370,6 +369,7 @@
@echo $(DL) h2_iq_add,$(DL) >> $@
@echo $(DL) h2_iq_create,$(DL) >> $@
@echo $(DL) h2_iq_remove,$(DL) >> $@
+   @echo $(DL) h2_log2,$(DL) >> $@
@echo $(DL) h2_proxy_res_ignore_header,$(DL) >> $@
@echo $(DL) h2_request_create,$(DL) >> $@
@echo $(DL) h2_request_make,$(DL) >> $@
@@ -379,6 +379,7 @@
@echo $(DL) nghttp2_is_fatal,$(DL) >> $@
@echo $(DL) nghttp2_option_del,$(DL) >> $@
@echo $(DL) nghttp2_option_new,$(DL) >> $@
+   @echo $(DL) nghttp2_option_set_no_auto_window_update,$(DL) >> $@
@echo $(DL) nghttp2_option_set_peer_max_concurrent_streams,$(DL) >> $@
@echo $(DL) nghttp2_session_callbacks_del,$(DL) >> $@
@echo $(DL) nghttp2_session_callbacks_new,$(DL) >> $@
Index: modules/http2/mod_proxy_http2.c
===
--- modules/http2/mod_proxy_http2.c (revision 1734307)
+++ modules/http2/mod_proxy_http2.c (working copy)
@@ -17,7 +17,7 @@

 #include 
 #include 
-#include 
+#include "mod_http2.h"


 #include "mod_proxy_http2.h"
Index: modules/http2/NWGNUproxyht2
===
--- modules/http2/NWGNUproxyht2 (revision 1734307)
+++ modules/http2/NWGNUproxyht2 (working copy)
@@ -237,6 +237,7 @@
ap_proxy_port_of_scheme \
ap_proxy_release_connection \
ap_proxy_ssl_connection_cleanup \
+   ap_sock_disable_nagle \
proxy_hook_canon_handler \
proxy_hook_scheme_handler \
proxy_module \
Index: modules/http2/NWGNUmod_http2
===
--- modules/http2/NWGNUmod_http2	(revision 1734307)
+++ modules/http2/NWGNUmod_http2	(working copy)
@@ -260,8 +260,7 @@
 # Any symbols exported to here
 #
 FILES_nlm_exports = \
-	http2_module \
-	@$(OBJDIR)/mod_http2.imp \
+	@$(OBJDIR)/mod_http2.imp \
 	$(EOLIST)
 
 #
@@ -370,6 +369,7 @@
 	@echo $(DL) h2_iq_add,$(DL) >> $@
 	@echo $(DL) h2_iq_create,$(DL) >> $@
 	@echo $(DL) h2_iq_remove,$(DL) >> $@
+	@echo $(DL) h2_log2,$(DL) >> $@
 	@echo $(DL) h2_proxy_res_ignore_header,$(DL) >> $@
 	@echo $(DL) h2_request_create,$(DL) >> $@
 	@echo $(DL) h2_request_make,$(DL) >> $@
@@ -379,6 +379,7 @@
 	@echo $(DL) nghttp2_is_fatal,$(DL) >> $@
 	@echo $(DL) nghttp2_option_del,$(DL) >> $@
 	@echo $(DL) nghttp2_option_new,$(DL) >> $@
+	@echo $(DL) nghttp2_option_set_no_auto_window_update,$(DL) >> $@
 	@echo $(DL) nghttp2_option_set_peer_max_concurrent_streams,$(DL) >> $@
 	@echo $(DL) nghttp2_session_callbacks_del,$(DL) >> $@
 	@echo $(DL) nghttp2_session_callbacks_new,$(DL) >> $@
Index: modules/http2/mod_proxy_http2.c
===
--- modules/http2/mod_proxy_http2.c	(revision 1734307)
+++ modules/http2/mod_proxy_http2.c	(working copy)
@@ -17,7 +17,7 @@
 
 #include 
 #include 
-#include 
+#include "mod_http2.h"
 
 
 #include "mod_proxy_http2.h"
Index: modules/http2/NWGNUproxyht2
===
--- modules/http2/NWGNUproxyht2	(revision 1734307)
+++ modules/http2/NWGNUproxyht2	(working copy)
@@ -237,6 +237,7 @@
 	ap_proxy_port_of_scheme \
 	ap_proxy_release_connection \
 	ap_proxy_ssl_connection_cleanup \
+	ap_sock_disable_nagle \
 	proxy_hook_canon_handler \
 	proxy_hook_scheme_handler \
 	proxy_module \

Fwd: RFC 7804 on Salted Challenge Response HTTP Authentication Mechanism

2016-03-09 Thread Roy T. Fielding 
For folks looking for a new feature to develop,

Roy


> Begin forwarded message:
> 
> From: rfc-edi...@rfc-editor.org
> Subject: RFC 7804 on Salted Challenge Response HTTP Authentication Mechanism
> Date: March 9, 2016 at 11:01:55 AM PST
> To: ietf-annou...@ietf.org, rfc-d...@rfc-editor.org
> Cc: drafts-update-...@iana.org, http-a...@ietf.org, rfc-edi...@rfc-editor.org
> Reply-To: i...@ietf.org
> List-Archive: 
> 
> A new Request for Comments is now available in online RFC libraries.
> 
> 
>RFC 7804
> 
>Title:  Salted Challenge Response HTTP Authentication 
>Mechanism 
>Author: A. Melnikov
>Status: Experimental
>Stream: IETF
>Date:   March 2016
>Mailbox:alexey.melni...@isode.com
>Pages:  18
>Characters: 39440
>Updates/Obsoletes/SeeAlso:   None
> 
>I-D Tag:draft-ietf-httpauth-scram-auth-15.txt
> 
>URL:https://www.rfc-editor.org/info/rfc7804
> 
>DOI:http://dx.doi.org/10.17487/RFC7804
> 
> This specification describes a family of HTTP authentication
> mechanisms called the Salted Challenge Response Authentication
> Mechanism (SCRAM), which provides a more robust authentication
> mechanism than a plaintext password protected by Transport Layer
> Security (TLS) and avoids the deployment obstacles presented by
> earlier TLS-protected challenge response authentication mechanisms.
> 
> This document is a product of the Hypertext Transfer Protocol Authentication 
> Working Group of the IETF.
> 
> 
> EXPERIMENTAL: This memo defines an Experimental Protocol for the
> Internet community.  It does not specify an Internet standard of any
> kind. Discussion and suggestions for improvement are requested.
> Distribution of this memo is unlimited.
> 
> This announcement is sent to the IETF-Announce and rfc-dist lists.
> To subscribe or unsubscribe, see
>  https://www.ietf.org/mailman/listinfo/ietf-announce
>  https://mailman.rfc-editor.org/mailman/listinfo/rfc-dist
> 
> For searching the RFC series, see https://www.rfc-editor.org/search
> For downloading RFCs, see https://www.rfc-editor.org/retrieve/bulk
> 
> Requests for special distribution should be addressed to either the
> author of the RFC in question, or to rfc-edi...@rfc-editor.org.  Unless
> specifically noted otherwise on the RFC itself, all RFCs are for
> unlimited distribution.
> 
> 
> The RFC Editor Team
> Association Management Solutions, LLC
> 
>

Re: [VOTE] access control for dynamic hosts

2016-03-09 Thread Yann Ylavic 
Hi Fabien,

On Wed, Mar 9, 2016 at 5:44 PM,   wrote:
>
> Currently 2 votes:
>
> +1: Mario Brandt, Yann Ylavic

I think you can go ahead, trunk is in CTR (Commit Then Review) mode.
You may have more feedbacks when done...

Regards,
Yann.

Re: Add ?? mod_proxy_http2 for NetWare build - Take 1

2016-03-09 Thread Stefan Eissing 
Applied to trunk in r1734286. 

> Am 04.03.2016 um 22:56 schrieb NormW :
> 
> G/M,
> The attached patch and NWGNUproxyht2 builds the (trunk) mod_proxy_http2 
> module BUT does include some AS YET unapproved minor tweaks in the two 
> proxy_http2 source files.
> 
> Norm
>

Re: [VOTE] access control for dynamic hosts

2016-03-09 Thread fabien 



I'm proposing to commit the patch if I'm given a go.


Currently 2 votes:

+1: Mario Brandt, Yann Ylavic

--
Fabien.

Re: svn commit: r1734231 - /httpd/httpd/trunk/include/http_protocol.h

2016-03-09 Thread Stefan Eissing 
You are correct. Fixed in r1734281.

> Am 09.03.2016 um 16:57 schrieb Ruediger Pluem :
> 
> 
> 
> On 03/09/2016 01:39 PM, ic...@apache.org wrote:
>> Author: icing
>> Date: Wed Mar  9 12:39:04 2016
>> New Revision: 1734231
>> 
>> URL: http://svn.apache.org/viewvc?rev=1734231=rev
>> Log:
>> added AP_DECLARE for new ap_create_request
>> 
>> Modified:
>>httpd/httpd/trunk/include/http_protocol.h
>> 
>> Modified: httpd/httpd/trunk/include/http_protocol.h
>> URL: 
>> http://svn.apache.org/viewvc/httpd/httpd/trunk/include/http_protocol.h?rev=1734231=1734230=1734231=diff
>> ==
>> --- httpd/httpd/trunk/include/http_protocol.h (original)
>> +++ httpd/httpd/trunk/include/http_protocol.h Wed Mar  9 12:39:04 2016
>> @@ -58,7 +58,7 @@ AP_DECLARE_DATA extern ap_filter_rec_t *
>>  * @param c The current connection
>>  * @return The new request_rec
>>  */
>> -request_rec *ap_create_request(conn_rec *c);
>> +AP_DECLARE(request_rec *) ap_create_request(conn_rec *c);
>> 
>> /**
>>  * Read a request and fill in the fields.
>> 
>> 
>> 
> 
> Don't we need to do this in server/protocol.c as well?
> 
> Regards
> 
> RĂ¼diger

Re: svn commit: r1734231 - /httpd/httpd/trunk/include/http_protocol.h

2016-03-09 Thread Ruediger Pluem 


On 03/09/2016 01:39 PM, ic...@apache.org wrote:
> Author: icing
> Date: Wed Mar  9 12:39:04 2016
> New Revision: 1734231
> 
> URL: http://svn.apache.org/viewvc?rev=1734231=rev
> Log:
> added AP_DECLARE for new ap_create_request
> 
> Modified:
> httpd/httpd/trunk/include/http_protocol.h
> 
> Modified: httpd/httpd/trunk/include/http_protocol.h
> URL: 
> http://svn.apache.org/viewvc/httpd/httpd/trunk/include/http_protocol.h?rev=1734231=1734230=1734231=diff
> ==
> --- httpd/httpd/trunk/include/http_protocol.h (original)
> +++ httpd/httpd/trunk/include/http_protocol.h Wed Mar  9 12:39:04 2016
> @@ -58,7 +58,7 @@ AP_DECLARE_DATA extern ap_filter_rec_t *
>   * @param c The current connection
>   * @return The new request_rec
>   */
> -request_rec *ap_create_request(conn_rec *c);
> +AP_DECLARE(request_rec *) ap_create_request(conn_rec *c);
>  
>  /**
>   * Read a request and fill in the fields.
> 
> 
> 

Don't we need to do this in server/protocol.c as well?

Regards

RĂ¼diger

Re: [VOTE] backport mod_proxy_http2 to 2.4.x as experimental

2016-03-09 Thread Jim Jagielski 
Go ahead and propose for backport... it will require 3 +1s
for inclusion.

> On Mar 9, 2016, at 7:53 AM, Stefan Eissing  
> wrote:
> 
> I propose to backport mod_proxy_http2 to 2.4.x as an experimental
> module with the same restrictions as mod_http2.
> 
> Purpose:
> mod_proxy_http2 allows proxy HTTP/2 connections, using its own
> h2: and h2c: proxy schemes for the configuration. It expects
> the backend to talk HTTP/2 and will not fallback to HTTP/1.1.
> 
> When called inside a HTTP/1.1 connection, it will open/reuse
> an existing HTTP/2 backend connection for this one request. 
> 
> When called inside a HTTP/2 connection, new requests can be 
> transferred to an already ongoing backend HTTP/2 connection
> for the same master. So, in an ideal case, all concurrent streams
> inside one frontend connection are managed to the backend over
> a single connection as well.
> 
> Status:
> The module functions in standard HTTP/2 test scenarios and seems
> stable under basic load. Performance is good for small requests
> but flow control handling is not good for large responses and 
> performance degrades. Collecting feedback from early testers
> will be valuable - as was for mod_http2.
> 
>

backport proposal vote

2016-03-09 Thread Stefan Eissing 
I hope this is how it's done...

-Stefan

[VOTE] backport mod_proxy_http2 to 2.4.x as experimental

2016-03-09 Thread Stefan Eissing 
I propose to backport mod_proxy_http2 to 2.4.x as an experimental
module with the same restrictions as mod_http2.

Purpose:
mod_proxy_http2 allows proxy HTTP/2 connections, using its own
h2: and h2c: proxy schemes for the configuration. It expects
the backend to talk HTTP/2 and will not fallback to HTTP/1.1.

When called inside a HTTP/1.1 connection, it will open/reuse
an existing HTTP/2 backend connection for this one request. 

When called inside a HTTP/2 connection, new requests can be 
transferred to an already ongoing backend HTTP/2 connection
for the same master. So, in an ideal case, all concurrent streams
inside one frontend connection are managed to the backend over
a single connection as well.

Status:
The module functions in standard HTTP/2 test scenarios and seems
stable under basic load. Performance is good for small requests
but flow control handling is not good for large responses and 
performance degrades. Collecting feedback from early testers
will be valuable - as was for mod_http2.

Re: svn commit: r1705217 - in /httpd/httpd/trunk: CHANGES server/util_script.c

2016-03-09 Thread Yann Ylavic 
On Wed, Mar 9, 2016 at 1:13 PM, Yann Ylavic  wrote:
> On Fri, Sep 25, 2015 at 8:29 AM,   wrote:
>> Author: gsmith
>> Date: Fri Sep 25 06:29:05 2015
>> New Revision: 1705217
>>
>> URL: http://svn.apache.org/viewvc?rev=1705217=rev
>> Log:
>> core/util_script: relax alphanumeric filter of enviroment variable names
>> on Windows to allow '(' and ')' for passing PROGRAMFILES(X86) et.al.
>> unadulterated in 64 bit versions of Windows. PR 46751.
>
> Can one define functions in environment variables on Windows (and if
> so is the parenthesis in the place)?
> I don't think so, but not very aware of Windows things either, thus
> prefer to ask wrt CVE-2014-6271...
>
> What about MinGW or any unix-like shell ported on Windows (which could
> be used as CGI)?

It seems we didn't do anything about CVE-2014-6271 et.al. anyway (bash
issue), still I find this permissive env names quite dubious...
Btw, SGIs that really care about these vars could use PROGRAMFILES_X86_ already.

Re: h2_request.c > ap_create_request() puzzle.

2016-03-09 Thread Stefan Eissing 
The DECLARE is missing, I think. Added in r1734231.

> Am 09.03.2016 um 13:15 schrieb NormW :
> 
> G/E
> Can't decide if the following:
> 
>> GEN  obj_release/mod_http2_link.opt
>> LINK obj_release/mod_http2.nlm
>> ### mwldnlm Linker Error:
>> #   Undefined symbol: ap_create_request in
>> #   h2_request.o
> 
> is a typo and should be calling ap_create_request_config()
> 
> or if:
> 
>> request_rec *ap_create_request(conn_rec *conn)
> (protocol.c/http_protocol.h)
> 
> needs to declared as:
> 
>> AP_DECLARE(request_rec) *ap_create_request(conn_rec *conn)
> 
> otherwise the ap_create_request symbol is not exported from the server for 
> use by other modules...?
> 
> Norm

h2_request.c > ap_create_request() puzzle.

2016-03-09 Thread NormW 

G/E
Can't decide if the following:


GEN  obj_release/mod_http2_link.opt
LINK obj_release/mod_http2.nlm
### mwldnlm Linker Error:
#   Undefined symbol: ap_create_request in
#   h2_request.o


is a typo and should be calling ap_create_request_config()

or if:


request_rec *ap_create_request(conn_rec *conn)

(protocol.c/http_protocol.h)

needs to declared as:


AP_DECLARE(request_rec) *ap_create_request(conn_rec *conn)


otherwise the ap_create_request symbol is not exported from the server 
for use by other modules...?


Norm

Re: svn commit: r1705217 - in /httpd/httpd/trunk: CHANGES server/util_script.c

2016-03-09 Thread Yann Ylavic 
On Fri, Sep 25, 2015 at 8:29 AM,   wrote:
> Author: gsmith
> Date: Fri Sep 25 06:29:05 2015
> New Revision: 1705217
>
> URL: http://svn.apache.org/viewvc?rev=1705217=rev
> Log:
> core/util_script: relax alphanumeric filter of enviroment variable names
> on Windows to allow '(' and ')' for passing PROGRAMFILES(X86) et.al.
> unadulterated in 64 bit versions of Windows. PR 46751.

Can one define functions in environment variables on Windows (and if
so is the parenthesis in the place)?
I don't think so, but not very aware of Windows things either, thus
prefer to ask wrt CVE-2014-6271...

What about MinGW or any unix-like shell ported on Windows (which could
be used as CGI)?

Regards,
Yann.