Re: [VOTE] Release httpd-2.4.59-rc1 as httpd-2.4.59

[Frank Gingras]

On Wed, Apr 3, 2024 at 9:16 AM Stefan Eissing via dev 
wrote:

>
>
> > Am 03.04.2024 um 14:26 schrieb Eric Covener :
> >
> > Hi all,
> >
> > (After only minor embarrassment of patching tags/2.4.55 instead of
> 2.4.x...)
> >
> > Please find below the proposed release tarball and signatures:
> >
> > https://dist.apache.org/repos/dist/dev/httpd/
> >
> > I would like to call a SHORTENED VOTE to release
> > this candidate tarball httpd-2.4.59-rc1 as 2.4.59:
> > [ ] +1: It's not just good, it's good enough!
> > [ ] +0: Let's have a talk.
> > [ ] -1: There's trouble in paradise. Here's what's wrong.
> >
> > The computed digests of the tarball up for vote are:
> > = e4ec4ce12c6c8f5a794dc2263d126cb1d6ef667f034c4678ec945d61286e8b0f
> > =
> baa96a7c9bba48f758ca9b3e3d63f0c65db960653618109d4d7bcbf3d4776d1d51453beb65e5af57655f0b1cfb88913842bc3a117fe7acc754ddb43d4524bc82
> >
> > The SVN candidate source is found at tags/2.4.59-rc1-candidate.
>
> +1 (macOS, 23.4.0, x86_64)
>
> Thanks,
> Stefan


+1 here, no problem on Slackware64.

Re: release apreq 2.18 and mothball the project

[Frank Gingras]

On Thu, Feb 15, 2024 at 5:47 PM Joe Schaefer  wrote:

> Nobody gives a flying f what you released from trunk. I personally will be
> dead and buried before you release httpd 3.0.  So like you I don’t give a
> damned what you do with it.
>
> I just want the warfare against existing libapreq2 users to cease and
> desist.
>
> If there are known vulnerabilities in the existing codebase, you have a
> professional obligation to report them to the security team, who have
> assured me they will send them my way for proper handling by a competent
> engineer.
>
> None have been forthcoming, so that’s reason to release 2.18 as-is and
> mothball the subproject so we need not deal with each other again over it.
>
> Thanks
>
> Joe Schaefer, Ph.D.
> 
> Orion - The Enterprise Jamstack Wiki
> 
> 
> 954.253.3732 
>
>
>
>
> On Thu, Feb 15, 2024 at 5:17 PM Eric Covener  wrote:
>
>> On Wed, Feb 14, 2024 at 11:57 PM Joe Schaefer  wrote:
>>
>>> Twenty years in core, with one bug to fix.
>>> And you couldn’t even manage without three different botched releases.
>>>
>>
>> I think you are mixing up apreq and httpd releases here.
>> AIUI the apreq stuff in the core of httpd-trunk has only ever been in one
>> alpha release, and predates the regression.
>>
>> I'll keep any advice about an apreq release to myself, good luck and
>> please be mindful of the CoC
>> https://www.apache.org/foundation/policies/conduct
>>
>>
Respectfully, the tone of that response was unwarranted. There are better
ways to express your opinion that don't require attacks, and cynicism.

Re: [VOTE] Release httpd-2.4.58-rc3 as httpd-2.4.58

[Frank Gingras]

+1 for me, Slackware64 15.0. Thanks for the RM, yes.

On Mon, Oct 16, 2023 at 11:43 AM Joe Orton  wrote:

> On Mon, Oct 16, 2023 at 05:08:11PM +0200, Stefan Eissing via dev wrote:
> > Hi all,
> >
> > after fixing my merge mistake in rc2 (sorry!), we go again:
> >
> > Please find below the proposed release tarball and signatures:
> >
> > https://dist.apache.org/repos/dist/dev/httpd/
> >
> > I would like to call a VOTE over the next few days to release
> > this candidate tarball httpd-2.4.58-rc3 as 2.4.58:
> > [X] +1: It's not just good, it's good enough!
> > [ ] +0: Let's have a talk.
> > [ ] -1: There's trouble in paradise. Here's what's wrong.
>
> +1 for release from me, sigs good; builds and passes tests on Fedora 39
> and RHEL 8 and 9, my old computers are happy again ;)
>
> Big thanks for fixes and RMing.
>
> Regards, Joe
>
>

Re: mod_wasm: Contributing Upstream to Apache

[Frank Gingras]

As per the instructions:

To unsubscribe, send a messages to *users-unsubscr...@httpd.apache.org
* (or, if you are subscribed to the
digest version of the list, send to *users-digest-unsubscr...@httpd.apache.org
* ). You must send the
unsubscribe message from the same email address that you used to subscribe
to the list.

To complete the unsubscription process you must reply to a confirmation
email. If you do not receive this confirmation email, please check your
spam filters to see if they are capturing the message.


In this case, you would want to email dev-unsubscr...@httpd.apache.org





On Thu, Jun 1, 2023 at 4:32 PM Dan Ehrlich via dev 
wrote:

> Hi:
>
> Can I be unsubscribed from this list?
>
> Have sent previous messages following all the instructions on this page
> but to no avail:
> https://httpd.apache.org/userslist.html.
>
>
> Best,
>
> Dan
>
> On Fri, Jan 27, 2023 at 11:36 AM Jesús González 
> wrote:
>
>> Thanks Joe. You are correct, this initial implementation is the simplest
>> one to get it off the ground. We plan to continue development and add the
>> streaming functionality, which we know we will need for things like large
>> PDF file generation or support for Proxy-Wasm.
>>
>>
>>
>> Yes, isolating language runtimes (PHP, Python, ...) per thread is a cool
>> feature that enables new possibilities like simultaneously supporting
>> multiple versions of PHP as well as better multi-tenancy (you will be able
>> to keep user's code and assets separate from each other using Wasm built-in
>> isolation mechanism).
>>
>>
>>
>> Regarding apreq, right now we have not had a need to use it as we pass
>> most of the headers and body to the runtimes themselves as the language
>> runtimes code for handling requests, etc. takes care of it as part of the
>> CGI implementation, etc. As we look to add different functionality (i.e.
>> extending Apache itself) we will probably provide access to it from Wasm.
>>
>>
>>
>>
>>
>> *De: *Joe Schaefer 
>> *Responder a: *"dev@httpd.apache.org" 
>> *Fecha: *jueves, 26 de enero de 2023, 5:17
>> *Para: *"dev@httpd.apache.org" 
>> *Asunto: *Re: mod_wasm: Contributing Upstream to Apache
>>
>>
>>
>> Still, the idea is wicked cool if mod_wasm really can isolate the Python,
>> PHP, etc targets onto individual POSIX threads.
>>
>>
>>
>> Very exciting stuff for HTTP/2 Webapps.
>>
>

Re: [VOTE] [VOTE] Release httpd-2.4.56-rc1 as httpd-2.4.56

[Frank Gingras]

Or use [B], while being aware of the drawbacks.

On Thu, Mar 9, 2023 at 2:38 PM Fossies Administrator <
jens.schleuse...@fossies.org> wrote:

> On Thu, 9 Mar 2023, Eric Covener wrote:
>
> > On Thu, Mar 9, 2023 at 12:14 PM  wrote:
> >>
> >> On 3/9/23 05:30, Eric Covener wrote:
> >>>
> >>>
> >>> On Wed, Mar 8, 2023 at 11:02 PM BUSH Steve  > wrote:
> >>>
> >>> Correction!
> >>>
> >>> I used our test template for the rule when I e-mailed just now,
> but once it is converted to the apache httpd.conf format, the actual rule
> appears in the httpd.conf as:
> >>>
> >>> RewriteRule ^/zoology/animals/reset/(\d+)$ "/auth/launchjob?Number
> of Records=$1&__poolid=animal-magic" [B,PT,L,QSA]
> >>>
> >>>
> >>> Thanks for the report.   Time will tell, but I think this is a very
> fringe case. The space isn't a backreference (where `B` would have fixed
> it) and a literal with a space in the substitution has to be quite rare
> (famous last words)
> >>
> >> I wonder how many websites might have a snippet similar to:
> >>
> >> RewriteRule ^/search/(.*)$ /search.php?term=$1 [PT,L,QSA]
> >
> > I do worry about this style a lot more, especially with how much of a
> > pain [B] has been for me in the past.
> > I think we can wait and see and only look for more problematic
> > characters in the mod_rewrite.c change.
>
> I use a bit historically a rule principally like
>
>   RewriteRule file_name_pattern cgi_app?$1/$2 [T=application/x-httpd-cgi,L]
>
> With httpd-2.4.56 now all requests using file names containing a space are
> blocked (403 Forbidden) with the according error log entry
>
>   AH10410: Rewritten query string contains control characters or spaces
>
> The called CGI application tries to handle "bad" characters itself so from
> my egoistic point of view at least spaces should be allowed here (may be
> by an extra directive).
>
> In my case, the only but unsatisfactory workaround I have found so far
> would be to replace the affected spaces with %2520.
>
> Jens

Re: Process-level htaccess cache

[Frank Gingras]

Any reason this was based on the older 2.4.6 release?

On Thu, 13 Oct 2022 at 19:24,  wrote:

> Hello,
>
> I work on a LAMP stack at a large e-commerce company. We have big htaccess
> files filled with mod_rewrite rules which are slow to parse. Moving these
> routes into httpd.conf would be more efficient, but would require changing
> our deployment strategy. Moving them into application code could also be
> more efficient, but porting them would take a lot of effort. So we explored
> optimizing httpd itself.
>
> Patching[0] the existing htaccess cache to live at the process-level
> instead of the request-level proved to be a significant win for us. We
> expected to save a handful of millis across the board, but also got a nice
> drop in CPU as well.
>
> The patch is probably too hacky or specific to merge as-is. (How many
> perf-sensitive Apache installations have huge htaccess files?) Perhaps a
> cleaner alternative would be adding in the necessary hooks and rewriting
> the patch as a module. Feedback encouraged.
>
> Thanks,
>
> Adam
>
> [0] https://gist.github.com/adsr/d6360b5cd59c084d67adc5e8e6127695 applies
> to 2.4.6
>

Re: tcp send buffering and keepalive races

[Frank Gingras]

Can someone remove Nam Ho from the ML please? The spamming has been going
on for weeks now.

On Mon, 30 May 2022 at 05:31, Nam Hồ  wrote:

>
>
> Sent from my iPhone
>
> > On May 30, 2022, at 16:21, Ruediger Pluem  wrote:
> >
> > 
> >
> >> On 5/27/22 7:33 PM, Eric Covener wrote:
> >> People might recall an event bug where keepalive connections might be
> >> closed up to 200ms early (r1874350).
> >>
> >> I was recently looking at something with $bigco hat on where (IIUC) a
> >> slow TTFB for a proxied request causes TCP congestion to kick in and
> >> makes even a relatively short response sit in the write buffer.
> >>
> >>> From the behavior, it appears the browser is:
> >>
> >> 1) willing to use nearly every millisecond of the advertised KeepAlive
> >> time for reusing a connection from its pool
> >> 2) starts counting from when the response is complete
> >> 3) can't be asked to use Expect: 100-continue on an XHR POST
> >> 4) leaves error handling up to the caller and doesn't give it a ton of
> feedback
> >>
> >> This results in Apache starting the keepalive countdown "tens" of
> >> milliseconds early while the last bytes of the response are in the
> >> queue. If we get unlucky, a POST and a FIN cross in the night on a
> >> subsequent request.
> >>
> >> These types of investigations can be really painful.  Is there any
> >> harm in allowing the server to act like "KeepAliveTimeout 5" is e.g.
> >> "KeepAliveTimeout 5200ms".
> >>
> >> If this fudge buffer existed as an addl directive (rather than a trick
> >> documented in KeepAliveTimeout) , would it be reasonable as a non-zero
> >> default to discourage this race?
> >>
> >
> > In the end you want to get to a KeepAlive we announce to the client and
> > a KeepAlive which is longer than that that we execute.
> > My understanding of keepalive is that the client cannot take for granted
> > that a connection is really kept alive for as long as it was announced by
> > the server (it SHOULD be but there seems no MUST) and in fact we close
> keepalive
> > connections if get too busy and keeping these would prevent us from
> accepting
> > new connections.
> > Hence I think the issue will not be fixed in all situations.
> > I am willing to have this possibility, I guess best by adding an
> additional
> > amount of grace to the KeepAliveTimeout configurable by a directive, but
> I think
> > it should be zero by default to avoid confusion unless the behavior you
> report above
> > is widespread.
> >
> > Regards
> >
> > Rüdiger
>

Re: [apache]maxconnectionsperchild problem

[Frank Gingras]

You should direct your questions to us...@httpd.apache.org instead.

In the meantime, what mpm are you using?

On Thu, 14 Apr 2022 at 07:42, 刘孟  wrote:

> I am sorry that  is there anybody can answer my question?
>
>
>
> Hello, Mr Mentor
>
>
>
> I tried to translat it to English, please forgive my poor English
>
>
>
> Recently, when using the forwarding function of Apache, the
>
> The [maxconnectionsperchild] parameter in the MPM is ambiguous within the
> company.
>
>
>
> During the peak hours of the company's internal servers, the number of sub
> processes(hpptd) of
>
> each server is about 1000,[Maxconnectionsperchild] is currently set to 0.
> In order to be able to
>
> resolve the  access target regularlyIn DNS, we plan to adjust the value of
> [maxconnectionsperchild]
>
> to make each child process in half a day that It can be restarted once.
>
>
>
> My question is After setting this parameter, if it is possible that 1000
> processes are arrive at the same time
>
> resulting in service interruption?
>
>
>
> Current server setting of [maxsparechlid = 20] and  [minspareechlid = 10]
>
> If [maxconnectionsperchild] is set, should the settings of these two
> values be adjusted synchronously
>
> (the purpose is not to restart all child processes at the same time during
> peak service)
>
>
>
> If there is insufficient information, please let me konw.
>
> There is my phone below, you can communicate by phone.
>
> But I’m sorry that I just can speak Chinese or Japanese
>
>
>
> Best regares
>
> Have a nice work
>
>
>
>
> ---
>
> 刘孟 Liu Meng
>
> Project Development Dept.
>
> Tel : 010 82306399-7526 /Phone : 18500386112
>
>
>
> 北京図迅豊達信息技術有限公司 北京市海淀区北清路永豊路交差点東南 四維図新ビルA－8F
>
> Address : 8Floor,A Block,NavInfo Building, Southeast Crossing of BeiQing
> Rd. and YongFeng Rd., HaiDian District, Beijing（100094）
>
>
> ---
>
>
>
> *发件人:* 刘孟 
> *发送时间:* 2022年4月12日 17:20
> *收件人:* dev@httpd.apache.org
> *主题:* [apache]maxconnectionsperchild problem
>
>
>
> 工程师，您好
>
>
>
> 请允许我冒昧的用中文进行提问。
>
>
>
> 最近在使用 apache 的转发功能时，对于 prefork模式下的
>
> MaxConnectionsPerChild  参数，公司内部产生了歧义。
>
>
>
> 公司内部服务器高峰时，每台服务器的子进程数量在1000左右，
>
> 目前 MaxConnectionsPerChild 设置的是0。 为了能够定时解析访问目标的
>
> NDS，我们计划通过调整 MaxConnectionsPerChild的值使得每个子进程在半天
>
> 左右可以重启一次。
>
>
>
> 请问一下，这个参数设置以后，会不会出现 1000个进程刚好同一时间到达设置
>
> 的访问次数而同时终止，造成服务中断的现象出现。
>
>
>
> 目前服务器  maxsparechlid =20  minsparechlid = 10
>
> 如果设置了MaxConnectionsPerChild，是否应该同步调整这两个值的设置
>
> （目的是服务高峰时不要出现所有子进程同时重启的现象）
>
>
>
> 如有信息不足还请回信。
>
> 下方有我的电话，可以电话沟通。
>
> 可以用中文以及日语
>
> 日本語の対応はできます。
>
>
>
> 百忙之中打扰了。
>
> 祝 工作愉快
>
>
>
>
>
>
> ---
>
> 刘孟 Liu Meng
>
> Project Development Dept.
>
> Tel : 010 82306399-7526 /Phone : 18500386112
>
>
>
> 北京図迅豊達信息技術有限公司 北京市海淀区北清路永豊路交差点東南 四維図新ビルA－8F
>
> Address : 8Floor,A Block,NavInfo Building, Southeast Crossing of BeiQing
> Rd. and YongFeng Rd., HaiDian District, Beijing（100094）
>
>
> ---
>
>
>

Re: disallow HTTP 0.9 by default?

[Frank Gingras]

I agree with this as well, I haven't had to use 0.9 in over a decade.

+1

On Thu, 22 Jul 2021 at 12:03, Roy T. Fielding  wrote:

> > On Jul 22, 2021, at 12:29 AM, Stefan Eissing <
> stefan.eiss...@greenbytes.de> wrote:
> >> Am 21.07.2021 um 22:04 schrieb Eric Covener :
> >>
> >> I was chasing an unrelated thread about close_notify alerts and
> >> reminded me -- is it time to change the default for
> >> HttpProtocolOptions from Allow0.9 to Require1.0?
> >>
> >> As the manual says, the requirement was dropped in RFC 7230. It seems
> >> like the kind of potential gadget in future desynch/smuggling kind of
> >> attacks that shouldn't be on by default today.
> >>
> >> Any opinions?
> >
> > +1
> >
> > I think the internet is a different place now from when 2.4 came out.
>
> Yep, we have long past the point where the Internet depends on header
> fields
> like Host being present to avoid various attacks. +1
>
> Roy
>
>

Re: cannot view website but apache seems to be working properly

[Frank Gingras]

Paul,

First, d...@httpd.a.org is a development list, so you would want to ask
us...@httpd.a.org for questions or help with httpd.

However, your question falls outside the scope of both lists, since it
looks like either a networking or DNS issue. Perhaps your linux
distribution channel, or perhaps #networking or #dns on the irc.libera.chat
network would be a better resource for you.

On Wed, 21 Jul 2021 at 00:04, Paul Kagan  wrote:

> hi my website http://grocery.kiryastash.com is not accessible but the
> apache web server appears to be working correctly. it was also working
> before and suddenly stopped. I tried checking /var/log/ files and there
> does not seem to be any explanation, I only notice that it’s been a few
> days since there is logging in some files which may or may not be something…
>

Re: Changing mod_lua to stable

[Frank Gingras]

+1

On Mon, Dec 17, 2018 at 2:43 PM Ruediger Pluem  wrote:

>
>
> On 12/17/2018 08:23 PM, Daniel Gruno wrote:
> > Hi folks,
> > I've been pondering on the state of mod_lua, and it seems like it's time
> to get rid of the 'experimental' note, which
> > still scares off a lot of people. The API has been steady over the past
> few years, I believe, and the code itself seems
> > to be in a stable state, so I'm inclined to go ahead and get it moved
> over to stable, including switching from CTR to RTC.
>
> +1
>
> Regards
>
> Rüdiger
>

Spam on the httpd wiki (moin moin)

[Frank Gingras]

Hello folks,

I was looking into spam added to the wiki recently, and found out that
https://wiki.apache.org/httpd/Face2Face was set to be editable by everyone.

Presumably, that was done so that non-committers could make "quick" edits
during apachecon, For the time being, I've removed the ACL (locking it to a
list of pre-determined contributors, like the rest of the wiki), but please
let me know if you'd like me to revert that.

Thanks.