Re: mod_lets-encrypt

[Jacob Champion]

On 01/10/2017 08:35 AM, Dirk-Willem van Gulik wrote:

Before I send someone into the woods - did anyone consider/do a quick
‘mod_lets_encrypt’ (with or without a persistent store) — that
requires virtually no configuration ?


Considered? Yes. Back in August there was some discussion on this list 
with Josh Aas. I don't know what the current status is.


See


https://lists.apache.org/thread.html/ea902ae8e453b3a8d36345318fc74a54880d8bf14fed24e665c4b833@%3Cdev.httpd.apache.org%3E

and


https://lists.apache.org/thread.html/27d1fce7d30d9e31e2472045c260e4f8dcefd300a731ff9e435a5d4a@%3Cdev.httpd.apache.org%3E

--Jacob

mod_lets-encrypt

[Dirk-Willem van Gulik]

Before I send someone into the woods - did anyone consider/do a quick 
‘mod_lets_encrypt’ (with or without a persistent store) — that requires 
virtually no configuration ?

Or is the web world still thinking unix with clear small concise scripts that 
do one thing well ?

Dw

Re: svn commit: r1776285 - /httpd/httpd/trunk/modules/proxy/mod_proxy_wstunnel.c

[Eric Covener]

On Tue, Jan 10, 2017 at 4:59 AM, Ruediger Pluem  wrote:
>
>
> On 12/28/2016 03:40 PM, cove...@apache.org wrote:
>> Author: covener
>> Date: Wed Dec 28 14:40:54 2016
>> New Revision: 1776285
>>
>> URL: http://svn.apache.org/viewvc?rev=1776285=rev
>> Log:
>> improve a debug message
>>
>>
>> Modified:
>> httpd/httpd/trunk/modules/proxy/mod_proxy_wstunnel.c
>>
>> Modified: httpd/httpd/trunk/modules/proxy/mod_proxy_wstunnel.c
>> URL: 
>> http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/proxy/mod_proxy_wstunnel.c?rev=1776285=1776284=1776285=diff
>> ==
>> --- httpd/httpd/trunk/modules/proxy/mod_proxy_wstunnel.c (original)
>> +++ httpd/httpd/trunk/modules/proxy/mod_proxy_wstunnel.c Wed Dec 28 14:40:54 
>> 2016
>> @@ -467,7 +467,8 @@ static int proxy_wstunnel_handler(reques
>>  upgrade = apr_table_get(r->headers_in, "Upgrade");
>>  if (!upgrade || ap_cstr_casecmp(upgrade, "WebSocket") != 0) {
>>  ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(02900)
>> -  "declining URL %s  (not WebSocket)", url);
>> +  "declining URL %s  (not WebSocket, Upgrade: header is 
>> %s)",
>> +  url, upgrade ? "missing" : upgrade);
>
> Shouldn't it be
>
> upgrade ? upgrade : "missing"

yes thanks as always!  flipped in 1778117

Re: svn commit: r1776575 - in /httpd/httpd/trunk: docs/log-message-tags/next-number docs/manual/mod/mod_remoteip.xml modules/metadata/mod_remoteip.c

[Ruediger Pluem]

On 12/30/2016 03:20 PM, drugg...@apache.org wrote:
> Author: druggeri
> Date: Fri Dec 30 14:20:48 2016
> New Revision: 1776575
> 
> URL: http://svn.apache.org/viewvc?rev=1776575=rev
> Log:
> Merge new PROXY protocol code into mod_remoteip
> 
> Modified:
> httpd/httpd/trunk/docs/log-message-tags/next-number
> httpd/httpd/trunk/docs/manual/mod/mod_remoteip.xml
> httpd/httpd/trunk/modules/metadata/mod_remoteip.c
> 

> ==
> --- httpd/httpd/trunk/modules/metadata/mod_remoteip.c (original)
> +++ httpd/httpd/trunk/modules/metadata/mod_remoteip.c Fri Dec 30 14:20:48 2016

> @@ -427,6 +730,464 @@ static int remoteip_modify_request(reque
>  return OK;
>  }
>  
> +static int remoteip_is_server_port(apr_port_t port)
> +{
> +ap_listen_rec *lr;
> +
> +for (lr = ap_listeners; lr; lr = lr->next) {
> +if (lr->bind_addr && lr->bind_addr->port == port) {
> +return 1;
> +}
> +}
> +
> +return 0;
> +}
> +
> +/*
> + * Human readable format:
> + * PROXY {TCP4|TCP6|UNKNOWN}
> 
> + */
> +static remoteip_parse_status_t remoteip_process_v1_header(conn_rec *c,
> +  
> remoteip_conn_config_t *conn_conf,
> +  proxy_header *hdr, 
> apr_size_t len,
> +  apr_size_t 
> *hdr_len)
> +{
> +char *end, *word, *host, *valid_addr_chars, *saveptr;
> +char buf[sizeof(hdr->v1.line)];
> +apr_port_t port;
> +apr_status_t ret;
> +apr_int32_t family;
> +
> +#define GET_NEXT_WORD(field) \
> +word = apr_strtok(NULL, " ", ); \
> +if (!word) { \
> +ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, APLOGNO(03497) \
> +  "RemoteIPProxyProtocol: no " field " found in header 
> '%s'", \
> +  hdr->v1.line); \
> +return HDR_ERROR; \
> +}
> +
> +end = memchr(hdr->v1.line, '\r', len - 1);
> +if (!end || end[1] != '\n') {
> +return HDR_NEED_MORE; /* partial or invalid header */
> +}
> +
> +*end = '\0';
> +*hdr_len = end + 2 - hdr->v1.line; /* skip header + CRLF */
> +
> +/* parse in separate buffer so have the original for error messages */
> +strcpy(buf, hdr->v1.line);
> +
> +apr_strtok(buf, " ", );
> +
> +/* parse family */
> +GET_NEXT_WORD("family")
> +if (strcmp(word, "UNKNOWN") == 0) {
> +conn_conf->client_addr = c->client_addr;
> +conn_conf->client_ip = c->client_ip;
> +return HDR_DONE;
> +}
> +else if (strcmp(word, "TCP4") == 0) {
> +family = APR_INET;
> +valid_addr_chars = "0123456789.";
> +}
> +else if (strcmp(word, "TCP6") == 0) {
> +#if APR_HAVE_IPV6
> +family = APR_INET6;
> +valid_addr_chars = "0123456789abcdefABCDEF:";
> +#else
> +ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, APLOGNO(03498)
> +  "RemoteIPProxyProtocol: Unable to parse v6 address - 
> APR is not compiled with IPv6 support",
> +  word, hdr->v1.line);
> +return HDR_ERROR;
> +#endif
> +}
> +else {
> +ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, APLOGNO(03499)
> +  "RemoteIPProxyProtocol: unknown family '%s' in header 
> '%s'",
> +  word, hdr->v1.line);
> +return HDR_ERROR;
> +}
> +
> +/* parse client-addr */
> +GET_NEXT_WORD("client-address")
> +
> +if (strspn(word, valid_addr_chars) != strlen(word)) {
> +ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, APLOGNO(03500)
> +  "RemoteIPProxyProtocol: invalid client-address '%s' 
> found in "
> +  "header '%s'", word, hdr->v1.line);
> +return HDR_ERROR;
> +}
> +
> +host = word;
> +
> +/* parse dest-addr */
> +GET_NEXT_WORD("destination-address")
> +
> +/* parse client-port */
> +GET_NEXT_WORD("client-port")
> +if (sscanf(word, "%hu", ) != 1) {
> +ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, APLOGNO(03501)
> +  "RemoteIPProxyProtocol: error parsing port '%s' in 
> header '%s'",
> +  word, hdr->v1.line);
> +return HDR_ERROR;
> +}
> +
> +/* parse dest-port */
> +/* GET_NEXT_WORD("destination-port") - no-op since we don't care about 
> it */
> +
> +/* create a socketaddr from the info */
> +ret = apr_sockaddr_info_get(_conf->client_addr, host, family, port, 
> 0,
> +c->pool);
> +if (ret != APR_SUCCESS) {
> +conn_conf->client_addr = NULL;
> +ap_log_cerror(APLOG_MARK, APLOG_ERR, ret, c, APLOGNO(03502)
> +  "RemoteIPProxyProtocol: error converting family '%d', 
> host '%s',"
> +  " and port '%hu' to sockaddr; header was '%s'",
> +  family, host, port, 

Re: svn commit: r1776285 - /httpd/httpd/trunk/modules/proxy/mod_proxy_wstunnel.c

[Ruediger Pluem]

On 12/28/2016 03:40 PM, cove...@apache.org wrote:
> Author: covener
> Date: Wed Dec 28 14:40:54 2016
> New Revision: 1776285
> 
> URL: http://svn.apache.org/viewvc?rev=1776285=rev
> Log:
> improve a debug message
> 
> 
> Modified:
> httpd/httpd/trunk/modules/proxy/mod_proxy_wstunnel.c
> 
> Modified: httpd/httpd/trunk/modules/proxy/mod_proxy_wstunnel.c
> URL: 
> http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/proxy/mod_proxy_wstunnel.c?rev=1776285=1776284=1776285=diff
> ==
> --- httpd/httpd/trunk/modules/proxy/mod_proxy_wstunnel.c (original)
> +++ httpd/httpd/trunk/modules/proxy/mod_proxy_wstunnel.c Wed Dec 28 14:40:54 
> 2016
> @@ -467,7 +467,8 @@ static int proxy_wstunnel_handler(reques
>  upgrade = apr_table_get(r->headers_in, "Upgrade");
>  if (!upgrade || ap_cstr_casecmp(upgrade, "WebSocket") != 0) {
>  ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(02900)
> -  "declining URL %s  (not WebSocket)", url);
> +  "declining URL %s  (not WebSocket, Upgrade: header is 
> %s)", 
> +  url, upgrade ? "missing" : upgrade);

Shouldn't it be

upgrade ? upgrade : "missing"

Regards

Rüdiger

Re: svn commit: r1777998 - /httpd/httpd/branches/2.2.x/STATUS

[Yann Ylavic]

On Tue, Jan 10, 2017 at 8:33 AM, William A Rowe Jr  wrote:
> As this seems (once applied to 2.4) to be an accepted part of the overall 
> patch,
> Yann you might want to add this to the merge/backport patch branches as part
> of our overall, recommended patches against 2.2/2.4.

Done in r1778094 (2.2.x-merge) and r1778094 (2.4.x-merge).