Re: mod_tls in 2.4.x - remove?

[jean-frederic clere]

On 4/16/24 12:56, Stefan Eissing via dev wrote:

mod_tls is experimental in 2.4.x. The rustls project, initially wanting to stay 
backward compatible to the v0.10.x API, has change its mind and no longer 
guarantees any stability in future versions. In fact, they have changed the API 
already, making mod_tls no longer viable.

I personally do not have the time to chase after this. If no one else has 
interests (and I don't know of anyone using it - else, speak up), I propose to 
remove it from the 2.4.x branch again.

Kind Regards,
Stefan


I am +1 for that, I have looked to arrange the testsuite to test mod_ssl 
instead mod_ssl via pytest in trunk (PR: 
https://github.com/apache/httpd/pull/433) so I would like to keep 
mod_tls in trunk if possible (but I am NOT planning to work on mod_tls 
for the moment).


--
Cheers

Jean-Frederic

Re: pytest test/modules/md/test_310_conf_store.py

[jean-frederic clere]

On 4/9/24 19:06, jean-frederic clere wrote:

Hi,

Has anyone run those tests recently?

I have errors like "MD testdomain.org does not match any VirtualHost 
with ...", probably I am doing something wrong...


It seems ignoring the warnings AH10045 and AH10105 is a possible fix.

--
Cheers

Jean-Frederic

pytest test/modules/md/test_310_conf_store.py

[jean-frederic clere]

Hi,

Has anyone run those tests recently?

I have errors like "MD testdomain.org does not match any VirtualHost 
with ...", probably I am doing something wrong...

--
Cheers

Jean-Frederic

Re: pytest results for 2.4.59

[jean-frederic clere]

On 4/6/24 20:02, Rainer Jung wrote:

Hi Jean-Frederic and all,

you didn't write at what point in time you take the thread dump. I see 
the SIGTERM messages logged during test execution always during the last 
test in each group (http2, md, ...) just because that is the time the 
logs are checked by teardown for error messages. At the time the test 
complains it already starts to kill the children and at least during my 
test runs it success with killing them (I think). So finding a good 
point in time to attach the debugger and see the right situation might 
not be easy?


I might have taken the thread dump late because I have taken it just 
after the ap_log_error("sending a SIGTERM") at that time there is only 
one thread running and it is "waiting" for the listener thread that has 
already stopped. There I have found that the behavior of pthread_kill() 
changed in "recent" fedora/rhel.


Are you suggesting I should also try to get dumps earlier in the 
shutdown process?




When you say Yann's patch helps, it means especially there are not more 
SIGTERM messages in the logs resp. no more teardown checks failing?


Yes with Yann's patch, the "AH00045: child process n still did not 
exit, sending a SIGTERM" messages are gone and teardown checks are passing.




Best regards,

Rainer

Am 06.04.24 um 17:32 schrieb jean-frederic clere:

On 4/6/24 13:10, Yann Ylavic wrote:
On Sat, Apr 6, 2024 at 10:46 AM jean-frederic clere 
 wrote:


On 4/5/24 07:55, Ruediger Pluem wrote:


Are you able to provide a stacktrace of the hanging process (thread 
apply all bt full)?


It seems pthread_kill(t, 0) returns 0 even the thread t has exited...
older version of fedora will return 3 (I have tried fc28)


If pthread_kill() does not work we probably should use the global
"dying" variable like in mpm_event.
But it's not clear from your earlier "bt full" whether there are other
threads, could you try "thread apply all bt full" instead to show all
the threads?


(gdb) thread apply all bt full

Thread 1 (Thread 0x7ffbf3f5ad40 (LWP 2891875)):
#0  0x7ffbf429b087 in __GI___select (nfds=nfds@entry=0, 
readfds=readfds@entry=0x0, writefds=writefds@entry=0x0, 
exceptfds=exceptfds@entry=0x0, timeout=timeout@entry=0x7fff56cbb0b0) 
at ../sysdeps/unix/sysv/linux/select.c:69

 sc_ret = -4
 sc_cancel_oldtype = 0
 sc_ret = 
 s = 
 us = 
 ns = 
 ts64 = {tv_sec = 0, tv_nsec = 155950744}
 pts64 = 0x7fff56cbb050
 r = 
#1  0x7ffbf43d9d92 in apr_sleep (t=t@entry=50) at 
time/unix/time.c:249

 tv = {tv_sec = 0, tv_usec = 50}
#2  0x00440733 in join_workers (listener=0x87c170, 
threads=threads@entry=0x91e150, mode=mode@entry=2) at worker.c:1069

 iter = 7
 i = 
 rv = 
 thread_rv = 0
#3  0x004412d9 in child_main 
(child_num_arg=child_num_arg@entry=0, 
child_bucket=child_bucket@entry=0) at worker.c:1310

 threads = 0x91e150
 rv = 1
 ts = 0x815a78
 thread_attr = 0x815a98
 start_thread_id = 0x815b08
 i = 
#4  0x0044161a in make_child (s=0x818d00, slot=slot@entry=0, 
bucket=0) at worker.c:1376

 pid = 0
#5  0x004416be in startup_children (number_to_start=3) at 
worker.c:1403

 i = 0
#6  0x004428f9 in worker_run (_pconf=, 
plog=0x81b998, s=0x818d00) at worker.c:1928

 listen_buckets = 0x875480
 num_buckets = 1
 remaining_children_to_start = 
 rv = 
 id = "0\000\000\000\000\000\000\000\t\000\000\000\000\000\000"
 i = 
#7  0x00456930 in ap_run_mpm (pconf=pconf@entry=0x7ec3e8, 
plog=0x81b998, s=0x818d00) at mpm_common.c:102

 pHook = 
 n = 0
 rv = -1
#8  0x0043350e in main (argc=, argv=out>) at main.c:882

 c = 102 'f'
 showcompile = 
--Type  for more, q to quit, c to continue without paging--
 showdirectives = 
 confname = 
 def_server_root = 
 temp_error_log = 
 error = 
 process = 0x7ea4c8
 pconf = 0x7ec3e8
 plog = 0x81b998
 ptemp = 0x815678
 pcommands = 
 opt = 0x810ef0
 rv = 
 mod = 
 opt_arg = 0x7fff56cbcb64 
"/home/jfclere/httpd-trunk/test/pyhttpd/../gen/apache/conf/httpd.conf"

 signal_server = 
 rc = 
(gdb)

I have added a kill(pid, SIGABRT); in server/mpm_unix.c after the 
ap_log_error() as it is not easy to get a core otherwise.




It's clear from the main thread's backtrace that it's waiting for the
listener in the "iter" loop, but nothing tells if the listener already
exited or not. The listener for instance could be waiting indefinitely
apr_pollset_poll() at this point, and since there is no pollset wakeup
in mpm_worker I don't think that wakeup_listener() can help here.

Re: pytest results for 2.4.59

[jean-frederic clere]

On 4/6/24 13:10, Yann Ylavic wrote:

On Sat, Apr 6, 2024 at 10:46 AM jean-frederic clere  wrote:


On 4/5/24 07:55, Ruediger Pluem wrote:


Are you able to provide a stacktrace of the hanging process (thread apply all 
bt full)?


It seems pthread_kill(t, 0) returns 0 even the thread t has exited...
older version of fedora will return 3 (I have tried fc28)


If pthread_kill() does not work we probably should use the global
"dying" variable like in mpm_event.
But it's not clear from your earlier "bt full" whether there are other
threads, could you try "thread apply all bt full" instead to show all
the threads?


(gdb) thread apply all bt full

Thread 1 (Thread 0x7ffbf3f5ad40 (LWP 2891875)):
#0  0x7ffbf429b087 in __GI___select (nfds=nfds@entry=0, 
readfds=readfds@entry=0x0, writefds=writefds@entry=0x0, 
exceptfds=exceptfds@entry=0x0, timeout=timeout@entry=0x7fff56cbb0b0) at 
../sysdeps/unix/sysv/linux/select.c:69

sc_ret = -4
sc_cancel_oldtype = 0
sc_ret = 
s = 
us = 
ns = 
ts64 = {tv_sec = 0, tv_nsec = 155950744}
pts64 = 0x7fff56cbb050
r = 
#1  0x7ffbf43d9d92 in apr_sleep (t=t@entry=50) at 
time/unix/time.c:249

tv = {tv_sec = 0, tv_usec = 50}
#2  0x00440733 in join_workers (listener=0x87c170, 
threads=threads@entry=0x91e150, mode=mode@entry=2) at worker.c:1069

iter = 7
i = 
rv = 
thread_rv = 0
#3  0x004412d9 in child_main 
(child_num_arg=child_num_arg@entry=0, child_bucket=child_bucket@entry=0) 
at worker.c:1310

threads = 0x91e150
rv = 1
ts = 0x815a78
thread_attr = 0x815a98
start_thread_id = 0x815b08
i = 
#4  0x0044161a in make_child (s=0x818d00, slot=slot@entry=0, 
bucket=0) at worker.c:1376

pid = 0
#5  0x004416be in startup_children (number_to_start=3) at 
worker.c:1403

i = 0
#6  0x004428f9 in worker_run (_pconf=, 
plog=0x81b998, s=0x818d00) at worker.c:1928

listen_buckets = 0x875480
num_buckets = 1
remaining_children_to_start = 
rv = 
id = "0\000\000\000\000\000\000\000\t\000\000\000\000\000\000"
i = 
#7  0x00456930 in ap_run_mpm (pconf=pconf@entry=0x7ec3e8, 
plog=0x81b998, s=0x818d00) at mpm_common.c:102

pHook = 
n = 0
rv = -1
#8  0x0043350e in main (argc=, argv=out>) at main.c:882

c = 102 'f'
showcompile = 
--Type  for more, q to quit, c to continue without paging--
showdirectives = 
confname = 
def_server_root = 
temp_error_log = 
error = 
process = 0x7ea4c8
pconf = 0x7ec3e8
plog = 0x81b998
ptemp = 0x815678
pcommands = 
opt = 0x810ef0
rv = 
mod = 
opt_arg = 0x7fff56cbcb64 
"/home/jfclere/httpd-trunk/test/pyhttpd/../gen/apache/conf/httpd.conf"

signal_server = 
rc = 
(gdb)

I have added a kill(pid, SIGABRT); in server/mpm_unix.c after the 
ap_log_error() as it is not easy to get a core otherwise.




It's clear from the main thread's backtrace that it's waiting for the
listener in the "iter" loop, but nothing tells if the listener already
exited or not. The listener for instance could be waiting indefinitely
apr_pollset_poll() at this point, and since there is no pollset wakeup
in mpm_worker I don't think that wakeup_listener() can help here.


According to my tests using assert(0) in the join_workers() in different 
location, the listener thread is stopped by wakeup_listener() but the 
pthread_kill() doesn't report that.




So maybe we need to add an apr_pollset_wakeup() in wakeup_listener()
too, like in mpm_event too.

Overall something like the attached patch?


Yes the attached patch helps




Regards;
Yann.


--
Cheers

Jean-Frederic

Re: pytest results for 2.4.59

[jean-frederic clere]

On 4/5/24 07:55, Ruediger Pluem wrote:



On 4/5/24 12:59 AM, Rainer Jung wrote:

I think I fixed all test failures, hopefully in the correct way. More eyes 
welcome.

I have a few additional sporadic ERRORS:

A] ERROR during teardown check for log file errors or warnings (twice):

04.04.2024 21:14:42.205465 ___ ERROR at teardown of 
TestStatus.test_md_920_020 
04.04.2024 21:14:42.205465 ERROR 
modules/md/test_920_status.py::TestStatus::test_md_920_020 - AssertionE...

04.04.2024 21:14:42.205465 E   AssertionError: apache logged 1 errors and 0 
warnings:
04.04.2024 21:14:42.205465 E [Thu Apr 04 21:12:29.381511 2024] 
[md:error] [pid 4169] (22)Invalid argument: no certificates
in non-empty chain 
/path/to/gen/apache/md/staging/one.test.test-md-702-070-1712257797.org/pubcert.pem


04.04.2024 21:03:26.382051 ___ ERROR at teardown of 
TestStatus.test_md_920_020 
04.04.2024 21:03:26.382360 ERROR 
modules/md/test_920_status.py::TestStatus::test_md_920_020 - AssertionE...

04.04.2024 21:03:26.382051 E   AssertionError: apache logged 1 errors and 1 
warnings:
04.04.2024 21:03:26.382051 E [Thu Apr 04 21:00:48.924286 2024] 
[md:error] [pid 8717:tid 139629962274560] (20014)Internal
error (specific information not available): test-md-702-041-1712256790.org: 
asked to retrieve chain, but no order in context
04.04.2024 21:03:26.382051 E [Thu Apr 04 21:00:48.924229 2024] 
[md:warn] [pid 8717:tid 139629962274560] error generate
pkey RSA 3072

B] Hanging httpd child processes

This happens only on RHEL 9 with worker MPM and can be notices by a dramatic 
slowdown of the tests. There's a lot of messages

AH00045: child process 1067703 still did not exit, sending a SIGTERM

and

AH00276: the listener thread didn't exit

It happened in

modules/core/test_001_encoding.py::TestEncoding::test_core_001_20[test2-/10%25abnormal.txt-200]

modules/md/test_920_status.py::TestStatus::test_md_920_020

modules/proxy/test_02_unix.py::TestProxyUds::test_proxy_02_003[mixed-500]

but I don't know, whether it might happen elsewhere also, because it is 
sporadic.

What I see in the error logs for one hanging child process:

- most threads terminate with

[Thu Apr 04 22:42:59.617953 2024] [ssl:trace3] [pid 1067703:tid 
140619680433728] ssl_engine_kernel.c(2223): [client
127.0.0.1:40686] OpenSSL: Write: SSL negotiation finished successfully
[Thu Apr 04 22:42:59.617972 2024] [ssl:trace6] [pid 1067703:tid 
140619680433728] ssl_engine_io.c(154): [client 127.0.0.1:40686]
bio_filter_out_write: flush
[Thu Apr 04 22:42:59.617981 2024] [ssl:debug] [pid 1067703:tid 140619680433728] 
ssl_engine_io.c(1146): [client 127.0.0.1:40686]
AH02001: Connection closed to child 0 with standard shutdown (server 
test1.tests.httpd.apache.org:443)

- watchdog thread terminates (?) with

[Thu Apr 04 22:43:00.902666 2024] [md:debug] [pid 1067703:tid 140619697219136] 
md_reg.c(1163): test-md-810-003a-1712260944.org:
staging done
[Thu Apr 04 22:43:00.903951 2024] [md:notice] [pid 1067703:tid 140619697219136] 
AH10059: The Managed Domain
test-md-810-003a-1712260944.org has been setup and changes will be activated on 
next (graceful) server restart.
[Thu Apr 04 22:43:00.904418 2024] [md:debug] [pid 1067703:tid 140619697219136] 
mod_md_drive.c(229): AH10107: next run in 11 hours
59 minutes 58 seconds
[Thu Apr 04 22:43:01.204981 2024] [md:debug] [pid 1067703:tid 140619697219136] 
mod_md_drive.c(236): AH10058: md watchdog stopping
[Thu Apr 04 22:43:01.205094 2024] [watchdog:debug] [pid 1067703:tid 
140619697219136] mod_watchdog.c(257): AH02973: Singleton
Watchdog (_md_renew_) stopping

- one worker thread seems not to stop:

[Thu Apr 04 22:42:59.768569 2024] [core:trace5] [pid 1067703:tid 
140619672041024] protocol.c(714): [client 127.0.0.1:48748]
Request received from client: GET 
/.well-known/acme-challenge/3VAiCadJ5do2TuwIbbh3w2foMGfnCspnm0eYejBSC9E HTTP/1.1
[Thu Apr 04 22:42:59.768667 2024] [md:debug] [pid 1067703:tid 140619672041024] 
mod_md.c(1385): [client 127.0.0.1:48748] loading
challenge for test-md-810-003a-1712260944.org 
(/.well-known/acme-challenge/3VAiCadJ5do2TuwIbbh3w2foMGfnCspnm0eYejBSC9E)
[Thu Apr 04 22:42:59.768698 2024] [http:trace3] [pid 1067703:tid 
140619672041024] http_filters.c(1141): [client 127.0.0.1:48748]
Response sent with status 200, headers:
[Thu Apr 04 22:42:59.768706 2024] [http:trace5] [pid 1067703:tid 
140619672041024] http_filters.c(1150): [client 127.0.0.1:48748]
Date: Thu, 04 Apr 2024 20:42:59 GMT
[Thu Apr 04 22:42:59.768712 2024] [http:trace5] [pid 1067703:tid 
140619672041024] http_filters.c(1153): [client 127.0.0.1:48748]
Server: Apache/2.4.59 (Unix) OpenSSL/3.1.5
[Thu Apr 04 22:42:59.768718 2024] [http:trace4] [pid 1067703:tid 
140619672041024] http_filters.c(971): [client 127.0.0.1:48748]
Content-Length: 88
[Thu Apr 04 22:42:59.768724 2024] [http:trace4] [pid 1067703:tid 
140619672041024] http_filters.c(971): [client 127.0.0.1:48748]
Connection: 

Re: pytest results for 2.4.59

[jean-frederic clere]

On 4/5/24 07:55, Ruediger Pluem wrote:



On 4/5/24 12:59 AM, Rainer Jung wrote:

I think I fixed all test failures, hopefully in the correct way. More eyes 
welcome.

I have a few additional sporadic ERRORS:

A] ERROR during teardown check for log file errors or warnings (twice):

04.04.2024 21:14:42.205465 ___ ERROR at teardown of 
TestStatus.test_md_920_020 
04.04.2024 21:14:42.205465 ERROR 
modules/md/test_920_status.py::TestStatus::test_md_920_020 - AssertionE...

04.04.2024 21:14:42.205465 E   AssertionError: apache logged 1 errors and 0 
warnings:
04.04.2024 21:14:42.205465 E [Thu Apr 04 21:12:29.381511 2024] 
[md:error] [pid 4169] (22)Invalid argument: no certificates
in non-empty chain 
/path/to/gen/apache/md/staging/one.test.test-md-702-070-1712257797.org/pubcert.pem


04.04.2024 21:03:26.382051 ___ ERROR at teardown of 
TestStatus.test_md_920_020 
04.04.2024 21:03:26.382360 ERROR 
modules/md/test_920_status.py::TestStatus::test_md_920_020 - AssertionE...

04.04.2024 21:03:26.382051 E   AssertionError: apache logged 1 errors and 1 
warnings:
04.04.2024 21:03:26.382051 E [Thu Apr 04 21:00:48.924286 2024] 
[md:error] [pid 8717:tid 139629962274560] (20014)Internal
error (specific information not available): test-md-702-041-1712256790.org: 
asked to retrieve chain, but no order in context
04.04.2024 21:03:26.382051 E [Thu Apr 04 21:00:48.924229 2024] 
[md:warn] [pid 8717:tid 139629962274560] error generate
pkey RSA 3072

B] Hanging httpd child processes

This happens only on RHEL 9 with worker MPM and can be notices by a dramatic 
slowdown of the tests. There's a lot of messages

AH00045: child process 1067703 still did not exit, sending a SIGTERM

and

AH00276: the listener thread didn't exit

It happened in

modules/core/test_001_encoding.py::TestEncoding::test_core_001_20[test2-/10%25abnormal.txt-200]

modules/md/test_920_status.py::TestStatus::test_md_920_020

modules/proxy/test_02_unix.py::TestProxyUds::test_proxy_02_003[mixed-500]

but I don't know, whether it might happen elsewhere also, because it is 
sporadic.

What I see in the error logs for one hanging child process:

- most threads terminate with

[Thu Apr 04 22:42:59.617953 2024] [ssl:trace3] [pid 1067703:tid 
140619680433728] ssl_engine_kernel.c(2223): [client
127.0.0.1:40686] OpenSSL: Write: SSL negotiation finished successfully
[Thu Apr 04 22:42:59.617972 2024] [ssl:trace6] [pid 1067703:tid 
140619680433728] ssl_engine_io.c(154): [client 127.0.0.1:40686]
bio_filter_out_write: flush
[Thu Apr 04 22:42:59.617981 2024] [ssl:debug] [pid 1067703:tid 140619680433728] 
ssl_engine_io.c(1146): [client 127.0.0.1:40686]
AH02001: Connection closed to child 0 with standard shutdown (server 
test1.tests.httpd.apache.org:443)

- watchdog thread terminates (?) with

[Thu Apr 04 22:43:00.902666 2024] [md:debug] [pid 1067703:tid 140619697219136] 
md_reg.c(1163): test-md-810-003a-1712260944.org:
staging done
[Thu Apr 04 22:43:00.903951 2024] [md:notice] [pid 1067703:tid 140619697219136] 
AH10059: The Managed Domain
test-md-810-003a-1712260944.org has been setup and changes will be activated on 
next (graceful) server restart.
[Thu Apr 04 22:43:00.904418 2024] [md:debug] [pid 1067703:tid 140619697219136] 
mod_md_drive.c(229): AH10107: next run in 11 hours
59 minutes 58 seconds
[Thu Apr 04 22:43:01.204981 2024] [md:debug] [pid 1067703:tid 140619697219136] 
mod_md_drive.c(236): AH10058: md watchdog stopping
[Thu Apr 04 22:43:01.205094 2024] [watchdog:debug] [pid 1067703:tid 
140619697219136] mod_watchdog.c(257): AH02973: Singleton
Watchdog (_md_renew_) stopping

- one worker thread seems not to stop:

[Thu Apr 04 22:42:59.768569 2024] [core:trace5] [pid 1067703:tid 
140619672041024] protocol.c(714): [client 127.0.0.1:48748]
Request received from client: GET 
/.well-known/acme-challenge/3VAiCadJ5do2TuwIbbh3w2foMGfnCspnm0eYejBSC9E HTTP/1.1
[Thu Apr 04 22:42:59.768667 2024] [md:debug] [pid 1067703:tid 140619672041024] 
mod_md.c(1385): [client 127.0.0.1:48748] loading
challenge for test-md-810-003a-1712260944.org 
(/.well-known/acme-challenge/3VAiCadJ5do2TuwIbbh3w2foMGfnCspnm0eYejBSC9E)
[Thu Apr 04 22:42:59.768698 2024] [http:trace3] [pid 1067703:tid 
140619672041024] http_filters.c(1141): [client 127.0.0.1:48748]
Response sent with status 200, headers:
[Thu Apr 04 22:42:59.768706 2024] [http:trace5] [pid 1067703:tid 
140619672041024] http_filters.c(1150): [client 127.0.0.1:48748]
Date: Thu, 04 Apr 2024 20:42:59 GMT
[Thu Apr 04 22:42:59.768712 2024] [http:trace5] [pid 1067703:tid 
140619672041024] http_filters.c(1153): [client 127.0.0.1:48748]
Server: Apache/2.4.59 (Unix) OpenSSL/3.1.5
[Thu Apr 04 22:42:59.768718 2024] [http:trace4] [pid 1067703:tid 
140619672041024] http_filters.c(971): [client 127.0.0.1:48748]
Content-Length: 88
[Thu Apr 04 22:42:59.768724 2024] [http:trace4] [pid 1067703:tid 
140619672041024] http_filters.c(971): [client 127.0.0.1:48748]
Connection: 

Re: pytest results for 2.4.59

[jean-frederic clere]

On 4/5/24 07:55, Ruediger Pluem wrote:



On 4/5/24 12:59 AM, Rainer Jung wrote:

I think I fixed all test failures, hopefully in the correct way. More eyes 
welcome.

I have a few additional sporadic ERRORS:

A] ERROR during teardown check for log file errors or warnings (twice):

04.04.2024 21:14:42.205465 ___ ERROR at teardown of 
TestStatus.test_md_920_020 
04.04.2024 21:14:42.205465 ERROR 
modules/md/test_920_status.py::TestStatus::test_md_920_020 - AssertionE...

04.04.2024 21:14:42.205465 E   AssertionError: apache logged 1 errors and 0 
warnings:
04.04.2024 21:14:42.205465 E [Thu Apr 04 21:12:29.381511 2024] 
[md:error] [pid 4169] (22)Invalid argument: no certificates
in non-empty chain 
/path/to/gen/apache/md/staging/one.test.test-md-702-070-1712257797.org/pubcert.pem


04.04.2024 21:03:26.382051 ___ ERROR at teardown of 
TestStatus.test_md_920_020 
04.04.2024 21:03:26.382360 ERROR 
modules/md/test_920_status.py::TestStatus::test_md_920_020 - AssertionE...

04.04.2024 21:03:26.382051 E   AssertionError: apache logged 1 errors and 1 
warnings:
04.04.2024 21:03:26.382051 E [Thu Apr 04 21:00:48.924286 2024] 
[md:error] [pid 8717:tid 139629962274560] (20014)Internal
error (specific information not available): test-md-702-041-1712256790.org: 
asked to retrieve chain, but no order in context
04.04.2024 21:03:26.382051 E [Thu Apr 04 21:00:48.924229 2024] 
[md:warn] [pid 8717:tid 139629962274560] error generate
pkey RSA 3072

B] Hanging httpd child processes

This happens only on RHEL 9 with worker MPM and can be notices by a dramatic 
slowdown of the tests. There's a lot of messages

AH00045: child process 1067703 still did not exit, sending a SIGTERM

and

AH00276: the listener thread didn't exit

It happened in

modules/core/test_001_encoding.py::TestEncoding::test_core_001_20[test2-/10%25abnormal.txt-200]

modules/md/test_920_status.py::TestStatus::test_md_920_020

modules/proxy/test_02_unix.py::TestProxyUds::test_proxy_02_003[mixed-500]

but I don't know, whether it might happen elsewhere also, because it is 
sporadic.

What I see in the error logs for one hanging child process:

- most threads terminate with

[Thu Apr 04 22:42:59.617953 2024] [ssl:trace3] [pid 1067703:tid 
140619680433728] ssl_engine_kernel.c(2223): [client
127.0.0.1:40686] OpenSSL: Write: SSL negotiation finished successfully
[Thu Apr 04 22:42:59.617972 2024] [ssl:trace6] [pid 1067703:tid 
140619680433728] ssl_engine_io.c(154): [client 127.0.0.1:40686]
bio_filter_out_write: flush
[Thu Apr 04 22:42:59.617981 2024] [ssl:debug] [pid 1067703:tid 140619680433728] 
ssl_engine_io.c(1146): [client 127.0.0.1:40686]
AH02001: Connection closed to child 0 with standard shutdown (server 
test1.tests.httpd.apache.org:443)

- watchdog thread terminates (?) with

[Thu Apr 04 22:43:00.902666 2024] [md:debug] [pid 1067703:tid 140619697219136] 
md_reg.c(1163): test-md-810-003a-1712260944.org:
staging done
[Thu Apr 04 22:43:00.903951 2024] [md:notice] [pid 1067703:tid 140619697219136] 
AH10059: The Managed Domain
test-md-810-003a-1712260944.org has been setup and changes will be activated on 
next (graceful) server restart.
[Thu Apr 04 22:43:00.904418 2024] [md:debug] [pid 1067703:tid 140619697219136] 
mod_md_drive.c(229): AH10107: next run in 11 hours
59 minutes 58 seconds
[Thu Apr 04 22:43:01.204981 2024] [md:debug] [pid 1067703:tid 140619697219136] 
mod_md_drive.c(236): AH10058: md watchdog stopping
[Thu Apr 04 22:43:01.205094 2024] [watchdog:debug] [pid 1067703:tid 
140619697219136] mod_watchdog.c(257): AH02973: Singleton
Watchdog (_md_renew_) stopping

- one worker thread seems not to stop:

[Thu Apr 04 22:42:59.768569 2024] [core:trace5] [pid 1067703:tid 
140619672041024] protocol.c(714): [client 127.0.0.1:48748]
Request received from client: GET 
/.well-known/acme-challenge/3VAiCadJ5do2TuwIbbh3w2foMGfnCspnm0eYejBSC9E HTTP/1.1
[Thu Apr 04 22:42:59.768667 2024] [md:debug] [pid 1067703:tid 140619672041024] 
mod_md.c(1385): [client 127.0.0.1:48748] loading
challenge for test-md-810-003a-1712260944.org 
(/.well-known/acme-challenge/3VAiCadJ5do2TuwIbbh3w2foMGfnCspnm0eYejBSC9E)
[Thu Apr 04 22:42:59.768698 2024] [http:trace3] [pid 1067703:tid 
140619672041024] http_filters.c(1141): [client 127.0.0.1:48748]
Response sent with status 200, headers:
[Thu Apr 04 22:42:59.768706 2024] [http:trace5] [pid 1067703:tid 
140619672041024] http_filters.c(1150): [client 127.0.0.1:48748]
Date: Thu, 04 Apr 2024 20:42:59 GMT
[Thu Apr 04 22:42:59.768712 2024] [http:trace5] [pid 1067703:tid 
140619672041024] http_filters.c(1153): [client 127.0.0.1:48748]
Server: Apache/2.4.59 (Unix) OpenSSL/3.1.5
[Thu Apr 04 22:42:59.768718 2024] [http:trace4] [pid 1067703:tid 
140619672041024] http_filters.c(971): [client 127.0.0.1:48748]
Content-Length: 88
[Thu Apr 04 22:42:59.768724 2024] [http:trace4] [pid 1067703:tid 
140619672041024] http_filters.c(971): [client 127.0.0.1:48748]
Connection: 

Re: pytest results for 2.4.59

[jean-frederic clere]

On 4/5/24 00:59, Rainer Jung wrote:
This happens only on RHEL 9 with worker MPM and can be notices by a 
dramatic slowdown of the tests. There's a lot of messages


AH00045: child process 1067703 still did not exit, sending a SIGTERM


I have noted those too on fedora 39, I am planning to have a look...

--
Cheers

Jean-Frederic

Re: [VOTE] Release httpd-2.4.59-rc1 as httpd-2.4.59

[jean-frederic clere]

On 4/4/24 13:59, SteffenAL wrote:


Thanks for the hint.
Yep, needed an extra include. Not using cmake.


mod_http2 shows still version 2.0.22 (h2_version.h).
Should it be 2.0.26 ?


or better 2.0.27? ;-)

We picked the fixes but not version...



Steffen


On Thursday 04/04/2024 at 13:25, jean-frederic clere  wrote:

On 4/4/24 12:49, Steffen Land wrote:


-1
Get an error:
Error    C2065    'DAV_WALKTYPE_TOLERANT': undeclared identifier
mod_dav_fs    C:\VS17\Win32\httpd-2.4\modules\dav\fs\repos.c    1599


I didn't see any problem while building on windows (using cmake and 
VS19).


+++
Mode    LastWriteTime Length Name
    - -- 
-a 4/3/2024   7:56 AM 101376 mod_dav.so
-a 4/3/2024   7:56 AM  51200 mod_dav_fs.so
-a 4/3/2024   7:56 AM  23552 mod_dav_lock.so
+++

DAV_WALKTYPE_TOLERANT is in ./modules/dav/main/mod_dav.h line 1826



Steffen
On 2024/04/03 12:26:09 Eric Covener wrote:


Hi all,

(After only minor embarrassment of patching tags/2.4.55 instead of 
2.4.x...)


Please find below the proposed release tarball and signatures:

https://dist.apache.org/repos/dist/dev/httpd/

I would like to call a SHORTENED VOTE to release
this candidate tarball httpd-2.4.59-rc1 as 2.4.59:
[ ] +1: It's not just good, it's good enough!
[ ] +0: Let's have a talk.
[ ] -1: There's trouble in paradise. Here's what's wrong.

The computed digests of the tarball up for vote are:
= e4ec4ce12c6c8f5a794dc2263d126cb1d6ef667f034c4678ec945d61286e8b0f
= 
baa96a7c9bba48f758ca9b3e3d63f0c65db960653618109d4d7bcbf3d4776d1d51453beb65e5af57655f0b1cfb88913842bc3a117fe7acc754ddb43d4524bc82


The SVN candidate source is found at tags/2.4.59-rc1-candidate.



--
Cheers

Jean-Frederic







--
Cheers

Jean-Frederic

Re: [VOTE] Release httpd-2.4.59-rc1 as httpd-2.4.59

[jean-frederic clere]

On 4/4/24 12:49, Steffen Land wrote:

-1
Get an error:

Error   C2065   'DAV_WALKTYPE_TOLERANT': undeclared identifier  mod_dav_fs  
C:\VS17\Win32\httpd-2.4\modules\dav\fs\repos.c  1599


I didn't see any problem while building on windows (using cmake and VS19).

+++
ModeLastWriteTime Length Name
- -- 
-a 4/3/2024   7:56 AM 101376 mod_dav.so
-a 4/3/2024   7:56 AM  51200 mod_dav_fs.so
-a 4/3/2024   7:56 AM  23552 mod_dav_lock.so
+++

DAV_WALKTYPE_TOLERANT is in ./modules/dav/main/mod_dav.h line 1826



Steffen

On 2024/04/03 12:26:09 Eric Covener wrote:

Hi all,

(After only minor embarrassment of patching tags/2.4.55 instead of 2.4.x...)

Please find below the proposed release tarball and signatures:

https://dist.apache.org/repos/dist/dev/httpd/

I would like to call a SHORTENED VOTE to release
this candidate tarball httpd-2.4.59-rc1 as 2.4.59:
[ ] +1: It's not just good, it's good enough!
[ ] +0: Let's have a talk.
[ ] -1: There's trouble in paradise. Here's what's wrong.

The computed digests of the tarball up for vote are:
= e4ec4ce12c6c8f5a794dc2263d126cb1d6ef667f034c4678ec945d61286e8b0f
= 
baa96a7c9bba48f758ca9b3e3d63f0c65db960653618109d4d7bcbf3d4776d1d51453beb65e5af57655f0b1cfb88913842bc3a117fe7acc754ddb43d4524bc82

The SVN candidate source is found at tags/2.4.59-rc1-candidate.



--
Cheers

Jean-Frederic

Re: [VOTE] Release httpd-2.4.59-rc1 as httpd-2.4.59

[jean-frederic clere]

On 4/3/24 14:26, Eric Covener wrote:

[X] +1: It's not just good, it's good enough!


Build and tested in fedora 39 and windows server 2019 (VS17 2022 Cmake).

--
Cheers

Jean-Frederic

Re: svn commit: r1915947 - /httpd/httpd/branches/2.4.x/STATUS

[jean-frederic clere]

On 2/29/24 10:54, Joe Orton wrote:

On Thu, Feb 22, 2024 at 01:35:06PM -, jfcl...@apache.org wrote:

Author: jfclere
Date: Thu Feb 22 13:35:06 2024
New Revision: 1915947

URL: http://svn.apache.org/viewvc?rev=1915947=rev
Log:
Propose. CMake builds fail withi: "fatal error C1083: Cannot open include file: 
'ap_config_auto.h'"


FYI the r1877693 fix is included in my other backport proposal for
htpasswd.


I have removed my proposal, tested, checked and votes yours. Thanks!




Modified:
 httpd/httpd/branches/2.4.x/STATUS

Modified: httpd/httpd/branches/2.4.x/STATUS
URL: 
http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/STATUS?rev=1915947=1915946=1915947=diff
==
--- httpd/httpd/branches/2.4.x/STATUS (original)
+++ httpd/httpd/branches/2.4.x/STATUS Thu Feb 22 13:35:06 2024
@@ -243,6 +243,12 @@ PATCHES PROPOSED TO BACKPORT FROM TRUNK:
Github PR: https://github.com/apache/httpd/pull/413
+1: ylavic, jorton, jfclere
  
+   *) htpasswd: Windows : do not include ap_config_auto.h

+  trunk patch: https://svn.apache.org/r1877693
+  2.4.x patch: svn merge -c 1877693 ^/httpd/httpd/trunk .
+  +1: jfclere,
+
+
  PATCHES/ISSUES THAT ARE BEING WORKED
[ New entries should be added at the START of the list ]
  







--
Cheers

Jean-Frederic

Re: svn commit: r1913815 - in /httpd/httpd/trunk: changes-entries/pr68080.txt modules/ssl/mod_ssl.c modules/ssl/ssl_engine_config.c modules/ssl/ssl_private.h

[jean-frederic clere]

On 2/20/24 11:40, Yann Ylavic wrote:

On Mon, Feb 19, 2024 at 5:36 PM jean-frederic clere  wrote:


On 11/15/23 23:09, yla...@apache.org wrote:

Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_config.c
URL:http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_config.c?rev=1913815=1913814=1913815=diff
==
--- httpd/httpd/trunk/modules/ssl/ssl_engine_config.c (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_engine_config.c Wed Nov 15 22:09:05 2023
@@ -669,7 +669,6 @@ const char *ssl_cmd_SSLPassPhraseDialog(
   return NULL;
   }

-#if defined(HAVE_OPENSSL_ENGINE_H) && defined(HAVE_ENGINE_INIT)
   const char *ssl_cmd_SSLCryptoDevice(cmd_parms *cmd,
   void *dcfg,
   const char *arg)
@@ -714,7 +713,6 @@ const char *ssl_cmd_SSLCryptoDevice(cmd_

   return NULL;
   }
-#endif


I think that is causing compilation problems with:
mc->szCryptoDevice = NULL;
in ssl_cmd_SSLCryptoDevice().


Thanks, I suppose this happens with the latest OpenSSL versions where
they removed the ENGINE API completely?


Yes.


Fixed in r1915889 hopefully (should probably be backported to 2.4.x
since r1913815 made it there already).


Regards;
Yann.


--
Cheers

Jean-Frederic

Re: svn commit: r1913815 - in /httpd/httpd/trunk: changes-entries/pr68080.txt modules/ssl/mod_ssl.c modules/ssl/ssl_engine_config.c modules/ssl/ssl_private.h

[jean-frederic clere]

On 11/15/23 23:09, yla...@apache.org wrote:

Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_config.c
URL:http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_config.c?rev=1913815=1913814=1913815=diff
==
--- httpd/httpd/trunk/modules/ssl/ssl_engine_config.c (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_engine_config.c Wed Nov 15 22:09:05 2023
@@ -669,7 +669,6 @@ const char *ssl_cmd_SSLPassPhraseDialog(
  return NULL;
  }
  
-#if defined(HAVE_OPENSSL_ENGINE_H) && defined(HAVE_ENGINE_INIT)

  const char *ssl_cmd_SSLCryptoDevice(cmd_parms *cmd,
  void *dcfg,
  const char *arg)
@@ -714,7 +713,6 @@ const char *ssl_cmd_SSLCryptoDevice(cmd_
  
  return NULL;

  }
-#endif


I think that is causing compilation problems with:
mc->szCryptoDevice = NULL;
in ssl_cmd_SSLCryptoDevice().

--
Cheers

Jean-Frederic

Re: age in proxy_balancer_method

[jean-frederic clere]

On 12/21/23 19:32, Rainer Jung wrote:
I guess it could be like this: when Mladen originally implemented the by 
requests load balancing method in mod_jk he used the count and subtract 
method for the counters. He then ported this to mod_proxy_balancer and I 
think it is still, how by requests counting woorks there.


There are pros and cons, e.g. in case a worker goes down for some time. 
A bit later we switched in mod_jk to a count and divide, where division 
by 2 was done roughly every 60 seconds (configurable).


I have looked to different solutions: The most easy is to add age=n 
parameter to the balancer definition and divide the transferred, read 
and elected by 2 every n seconds for the workers.


Other logic would be to store those values and reset them if they don't 
change.


The busy don't need any aging ;-)

I will prepare a PR for first review tomorrow.



I think the idea of the age method was roughly, that you could implement 
a balanvcer method, that registers a mod_watchdog task, that regularly 
ages the balancing counters. Aging because you want to give the past a 
smaller influence on the balancing decision than the more recent activity.


I hope that's understandable and maybe Jim remembers something similar 
to that.


Best regards,

Rainer

Am 21.12.23 um 08:23 schrieb jean-frederic clere:

On 12/20/23 21:22, Jim Jagielski wrote:
I'll have to go back through my notes... I do recall adding fields 
that although
were not being used at the time, were _going to be used_ as some 
point, and

I didn't want to have to worry about ABI compatibility.


Cool I will wait before implementing something that breaks your design 
;-)




On Dec 14, 2023, at 8:27 AM, jean-frederic clere  
wrote:


Hi,

Any examples or docs about:
apr_status_t (*age)(proxy_balancer *balancer, server_rec *s);

In struct proxy_balancer_method?

--
Cheers

Jean-Frederic


--
Cheers

Jean-Frederic

Re: reset in proxy_balancer_method

[jean-frederic clere]

On 2/15/24 13:04, Ruediger Pluem wrote:



On 2/15/24 9:28 AM, jean-frederic clere wrote:

On 2/14/24 20:54, Ruediger Pluem wrote:



On 2/14/24 3:45 PM, jean-frederic clere wrote:

On 2/14/24 08:19, Ruediger Pluem wrote:



On 2/9/24 11:59 AM, jean-frederic clere wrote:

Hi,

I have noted to the reset() clean up too much in the balancers:
mod_lbmethod_bybusyness.c for example does:
+++
   for (i = 0; i < balancer->workers->nelts; i++, worker++) {
   (*worker)->s->lbstatus = 0;
   ap_proxy_set_busy_count(*worker, 0); /* BAD */
   }
+++
In fact reset() is called by ap_proxy_initialize_balancer() when a child 
process is created... Resetting the counters messes up
the logic.

Does it make sense to stop calling reset() from ap_proxy_initialize_balancer() 
or is it better to fix all reset()?


I am not sure what the original idea / intention of reset was. Until this is 
clarified I would not remove the call to reset in
ap_proxy_initialize_balancer(). In ap_proxy_sync_balancer the call to it is 
guarded by a check for the need_reset flag. Maybe
this
gives a hint.


Rethinking this. I guess we lack a clear API definition of the reset method of 
a balancer provider and it does not really seem
sensible to reset the stats in case a new child is created. Hence I guess the 
regression risk is rather low when just removing
this call to reset.



The need_reset is set when a worker is enabled or when the load balancing 
method is changed.


Isn't that a similar situation to when a worker is added (in respect to the 
point below)?


The worker are added disabled.


Which means stuff gets reset once they get enabled?


Correct ;-)



Regards

Rüdiger


--
Cheers

Jean-Frederic

Re: reset in proxy_balancer_method

[jean-frederic clere]

On 2/14/24 20:54, Ruediger Pluem wrote:



On 2/14/24 3:45 PM, jean-frederic clere wrote:

On 2/14/24 08:19, Ruediger Pluem wrote:



On 2/9/24 11:59 AM, jean-frederic clere wrote:

Hi,

I have noted to the reset() clean up too much in the balancers:
mod_lbmethod_bybusyness.c for example does:
+++
  for (i = 0; i < balancer->workers->nelts; i++, worker++) {
  (*worker)->s->lbstatus = 0;
  ap_proxy_set_busy_count(*worker, 0); /* BAD */
  }
+++
In fact reset() is called by ap_proxy_initialize_balancer() when a child 
process is created... Resetting the counters messes up
the logic.

Does it make sense to stop calling reset() from ap_proxy_initialize_balancer() 
or is it better to fix all reset()?


I am not sure what the original idea / intention of reset was. Until this is 
clarified I would not remove the call to reset in
ap_proxy_initialize_balancer(). In ap_proxy_sync_balancer the call to it is 
guarded by a check for the need_reset flag. Maybe this
gives a hint.


Rethinking this. I guess we lack a clear API definition of the reset method of 
a balancer provider and it does not really seem
sensible to reset the stats in case a new child is created. Hence I guess the 
regression risk is rather low when just removing
this call to reset.



The need_reset is set when a worker is enabled or when the load balancing 
method is changed.


Isn't that a similar situation to when a worker is added (in respect to the 
point below)?


The worker are added disabled.










There is another thing adding a new worker via /balancer-manager/ probably 
requires some kind of reset() otherwise all the load
moves to the new worker which is not the best May be calling age() or 
triggering calls to age() can help.


Doesn't ap_proxy_sync_balancer take care of this which is called before 
processing a request?



Regards

Rüdiger


--
Cheers

Jean-Frederic

Re: reset in proxy_balancer_method

[jean-frederic clere]

On 2/14/24 08:19, Ruediger Pluem wrote:



On 2/9/24 11:59 AM, jean-frederic clere wrote:

Hi,

I have noted to the reset() clean up too much in the balancers:
mod_lbmethod_bybusyness.c for example does:
+++
     for (i = 0; i < balancer->workers->nelts; i++, worker++) {
     (*worker)->s->lbstatus = 0;
     ap_proxy_set_busy_count(*worker, 0); /* BAD */
     }
+++
In fact reset() is called by ap_proxy_initialize_balancer() when a child 
process is created... Resetting the counters messes up
the logic.

Does it make sense to stop calling reset() from ap_proxy_initialize_balancer() 
or is it better to fix all reset()?


I am not sure what the original idea / intention of reset was. Until this is 
clarified I would not remove the call to reset in
ap_proxy_initialize_balancer(). In ap_proxy_sync_balancer the call to it is 
guarded by a check for the need_reset flag. Maybe this
gives a hint.


The need_reset is set when a worker is enabled or when the load 
balancing method is changed.







There is another thing adding a new worker via /balancer-manager/ probably 
requires some kind of reset() otherwise all the load
moves to the new worker which is not the best May be calling age() or 
triggering calls to age() can help.


Doesn't ap_proxy_sync_balancer take care of this which is called before 
processing a request?

Regards

Rüdiger



--
Cheers

Jean-Frederic

Re: svn commit: r1915782 - in /httpd/httpd/branches/2.4.x: ./ build/PrintPath build/find_apr.m4 build/find_apu.m4 changes-entries/mod_slotmem_shm.txt modules/slotmem/mod_slotmem_shm.c

[jean-frederic clere]

On 2/14/24 12:18, jfcl...@apache.org wrote:

Removed:
 httpd/httpd/branches/2.4.x/build/PrintPath
 httpd/httpd/branches/2.4.x/build/find_apr.m4
 httpd/httpd/branches/2.4.x/build/find_apu.m4


Oops I have undone that, sorry.
--
Cheers

Jean-Frederic

Re: using changes-entries or write in CHANGES directly

[jean-frederic clere]

On 2/14/24 11:06, Ruediger Pluem wrote:



On 2/14/24 10:53 AM, jean-frederic clere wrote:

Hi,

Are there any rules to use changes-entries or write directly in CHANGES?




IMHO change-entries is preferred. See 
http://svn.apache.org/viewvc/httpd/httpd/trunk/README.CHANGES?view=markup

I just noticed that we probably need a better cleanup mechanism for 
change-entries in trunk as I guess that
we do not want to add backported changes to the trunk CHANGES file. But this 
problem has been there in the past
as well that direct edits to CHANGES in trunk were not properly reverted once 
this change was backported.
But the usage of change-entries should ease this process.


OK thanks...

So for 2.4.x on my accepted back port I have don't need changes-entries 
and I have to process CHANGES by hands as I missed creating a 
changes-entries file in trunk.





Regards

Rüdiger


--
Cheers

Jean-Frederic

using changes-entries or write in CHANGES directly

[jean-frederic clere]

Hi,

Are there any rules to use changes-entries or write directly in CHANGES?

--
Cheers

Jean-Frederic

reset in proxy_balancer_method

[jean-frederic clere]

Hi,

I have noted to the reset() clean up too much in the balancers:
mod_lbmethod_bybusyness.c for example does:
+++
for (i = 0; i < balancer->workers->nelts; i++, worker++) {
(*worker)->s->lbstatus = 0;
ap_proxy_set_busy_count(*worker, 0); /* BAD */
}
+++
In fact reset() is called by ap_proxy_initialize_balancer() when a child 
process is created... Resetting the counters messes up the logic.


Does it make sense to stop calling reset() from 
ap_proxy_initialize_balancer() or is it better to fix all reset()?



There is another thing adding a new worker via /balancer-manager/ 
probably requires some kind of reset() otherwise all the load moves to 
the new worker which is not the best May be calling age() or 
triggering calls to age() can help.


--
Cheers

Jean-Frederic

Re: svn commit: r1915411 - /httpd/httpd/trunk/CMakeLists.txt

[jean-frederic clere]

On 1/26/24 15:57, Ruediger Pluem wrote:

There seem to be unrelated changes to mod_proxy_hcheck in the below. Is this 
intended?


Well mod_proxy_hchech was missing... I was planning another commit.

Should I do 2 commits or just adjust the commit message?



Regards

Rüdiger

On 1/26/24 3:25 PM, jfcl...@apache.org wrote:

Author: jfclere
Date: Fri Jan 26 14:25:15 2024
New Revision: 1915411

URL: http://svn.apache.org/viewvc?rev=1915411=rev
Log:
ab needs an additional Ws2_32.lib (like abs)

Modified:
 httpd/httpd/trunk/CMakeLists.txt

Modified: httpd/httpd/trunk/CMakeLists.txt
URL: 
http://svn.apache.org/viewvc/httpd/httpd/trunk/CMakeLists.txt?rev=1915411=1915410=1915411=diff
==
--- httpd/httpd/trunk/CMakeLists.txt (original)
+++ httpd/httpd/trunk/CMakeLists.txt Fri Jan 26 14:25:15 2024
@@ -415,6 +415,7 @@ SET(MODULE_LIST
"modules/proxy/mod_proxy_fcgi+I+Apache proxy FastCGI module.  Requires and is 
enabled by --enable-proxy."
"modules/proxy/mod_proxy_ftp+I+Apache proxy FTP module.  Requires and is enabled 
by --enable-proxy."
"modules/proxy/mod_proxy_http+I+Apache proxy HTTP module.  Requires and is 
enabled by --enable-proxy."
+  "modules/proxy/mod_proxy_hcheck+I+Apache proxy Health check module.  Requires and 
is enabled by --enable-proxy."
"modules/proxy/mod_proxy_scgi+I+Apache proxy SCGI module.  Requires and is 
enabled by --enable-proxy."
"modules/proxy/mod_proxy_wstunnel+I+Apache proxy Websocket Tunnel module.  
Requires and is enabled by --enable-proxy."
"modules/http2/mod_proxy_http2+i+Apache proxy HTTP/2 module.  Requires 
--enable-proxy."
@@ -549,6 +550,7 @@ SET(mod_proxy_express_extra_libs mod
  SET(mod_proxy_fcgi_extra_libsmod_proxy)
  SET(mod_proxy_ftp_extra_libs mod_proxy)
  SET(mod_proxy_http_extra_libsmod_proxy)
+SET(mod_proxy_hcheck_extra_libs  mod_proxy)
  SET(mod_proxy_html_requires  LIBXML2_FOUND)
  IF(LIBXML2_FOUND)
SET(mod_proxy_html_extra_includes
"${LIBXML2_INCLUDE_DIR};${LIBXML2_ICONV_INCLUDE_DIR}")
@@ -935,7 +937,6 @@ SET_TARGET_PROPERTIES(httpd PROPERTIES
  TARGET_LINK_LIBRARIES(httpd libhttpd ${EXTRA_LIBS})
  
  SET(standard_support

-  ab
htcacheclean
htdbm
htdigest
@@ -958,6 +959,15 @@ FOREACH(pgm ${standard_support})
TARGET_LINK_LIBRARIES(${pgm} ${EXTRA_LIBS} ${APR_LIBRARIES})
  ENDFOREACH()
  
+ADD_EXECUTABLE(ab support/ab.c build/win32/httpd.rc)

+SET(install_targets ${install_targets} ab)
+SET(install_bin_pdb ${install_bin_pdb} $)
+SET(tmp_includes ${HTTPD_INCLUDE_DIRECTORIES})
+SET_TARGET_PROPERTIES(ab PROPERTIES INCLUDE_DIRECTORIES "${tmp_includes}")
+DEFINE_WITH_BLANKS(define_long_name "LONG_NAME" "Apache HTTP Server ab 
program")
+SET_TARGET_PROPERTIES(ab PROPERTIES COMPILE_FLAGS "-DAPP_FILE ${define_long_name} 
-DBIN_NAME=ab.exe ${EXTRA_COMPILE_FLAGS}")
+TARGET_LINK_LIBRARIES(ab ${EXTRA_LIBS} ${APR_LIBRARIES} Ws2_32.lib)
+
  IF(OPENSSL_FOUND)
ADD_EXECUTABLE(abs support/ab.c build/win32/httpd.rc)
SET(install_targets ${install_targets} abs)
@@ -969,7 +979,6 @@ IF(OPENSSL_FOUND)
SET_TARGET_PROPERTIES(abs PROPERTIES COMPILE_FLAGS "-DAPP_FILE 
${define_long_name} -DBIN_NAME=abs.exe ${EXTRA_COMPILE_FLAGS}")
TARGET_LINK_LIBRARIES(abs ${EXTRA_LIBS} ${APR_LIBRARIES} 
${OPENSSL_LIBRARIES} Ws2_32.lib)
  ENDIF()
-GET_PROPERTY(tmp_includes TARGET ab PROPERTY INCLUDE_DIRECTORIES)
  
  # Unit Test Suite

  IF(CHECK_FOUND)





--
Cheers

Jean-Frederic

Re: age in proxy_balancer_method

[jean-frederic clere]

On 1/2/24 14:47, Jim Jagielski wrote:

Yeah, that sounds about right. I'd say that whatever changes need (or should 
be) made are fine


Thanks I will keep experimenting ;-)




On Dec 21, 2023, at 1:32 PM, Rainer Jung  wrote:

I guess it could be like this: when Mladen originally implemented the by 
requests load balancing method in mod_jk he used the count and subtract method 
for the counters. He then ported this to mod_proxy_balancer and I think it is 
still, how by requests counting woorks there.

There are pros and cons, e.g. in case a worker goes down for some time. A bit 
later we switched in mod_jk to a count and divide, where division by 2 was done 
roughly every 60 seconds (configurable).

I think the idea of the age method was roughly, that you could implement a 
balanvcer method, that registers a mod_watchdog task, that regularly ages the 
balancing counters. Aging because you want to give the past a smaller influence 
on the balancing decision than the more recent activity.

I hope that's understandable and maybe Jim remembers something similar to that.

Best regards,

Rainer

Am 21.12.23 um 08:23 schrieb jean-frederic clere:

On 12/20/23 21:22, Jim Jagielski wrote:

I'll have to go back through my notes... I do recall adding fields that although
were not being used at the time, were _going to be used_ as some point, and
I didn't want to have to worry about ABI compatibility.

Cool I will wait before implementing something that breaks your design ;-)



On Dec 14, 2023, at 8:27 AM, jean-frederic clere  wrote:

Hi,

Any examples or docs about:
apr_status_t (*age)(proxy_balancer *balancer, server_rec *s);

In struct proxy_balancer_method?

--
Cheers

Jean-Frederic




--
Cheers

Jean-Frederic

Re: age in proxy_balancer_method

[jean-frederic clere]

On 12/20/23 21:22, Jim Jagielski wrote:

I'll have to go back through my notes... I do recall adding fields that although
were not being used at the time, were _going to be used_ as some point, and
I didn't want to have to worry about ABI compatibility.


Cool I will wait before implementing something that breaks your design ;-)




On Dec 14, 2023, at 8:27 AM, jean-frederic clere  wrote:

Hi,

Any examples or docs about:
apr_status_t (*age)(proxy_balancer *balancer, server_rec *s);

In struct proxy_balancer_method?

--
Cheers

Jean-Frederic




--
Cheers

Jean-Frederic

age in proxy_balancer_method

[jean-frederic clere]

Hi,

Any examples or docs about:
apr_status_t (*age)(proxy_balancer *balancer, server_rec *s);

In struct proxy_balancer_method?

--
Cheers

Jean-Frederic

Re: balancers bybusyness, bytraffic and byrequest thread/process safe issues

[jean-frederic clere]

On 9/6/23 18:40, Yann Ylavic wrote:

On Wed, Sep 6, 2023 at 6:29 PM Yann Ylavic  wrote:


As for the memory orders on success/failure, they have nothing to do
with the likeliness of success/failure


Well the memory orderings specified can certainly influence the
likeliness of success/failure since a weaker ordering implies less
synchronization thus probably more concurrency, what I meant is that
they don't influence *correctness* of the returned values!


OK thanks for your help.



Regards;
Yann.


--
Cheers

Jean-Frederic

Re: balancers bybusyness, bytraffic and byrequest thread/process safe issues

[jean-frederic clere]

On 8/31/23 18:20, Jim Jagielski wrote:

Isn't the call to find the best balancer mutex protected?


Look to apr_atomic_cas32() and the APR code (1.7.x) I noted that we 
don't test the return value of __atomic_compare_exchange_n()


+++
PR_DECLARE(apr_uint32_t) apr_atomic_cas32(volatile apr_uint32_t *mem, 
apr_uint32_t val,

   apr_uint32_t cmp)
{
#if HAVE__ATOMIC_BUILTINS
__atomic_compare_exchange_n(mem, , val, 0, __ATOMIC_SEQ_CST, 
__ATOMIC_SEQ_CST);

return cmp;
#else
return __sync_val_compare_and_swap(mem, cmp, val);
#endif
+++

and:
https://gcc.gnu.org/onlinedocs/gcc/_005f_005fatomic-Builtins.html
Says:
Otherwise, false is returned and memory is affected according to 
failure_memorder. This memory order cannot be __ATOMIC_RELEASE nor 
__ATOMIC_ACQ_REL. It also cannot be a stronger order than that specified 
by success_memorder.


So we use __ATOMIC_SEQ_CST so we can't fail or do I miss something?



On Aug 31, 2023, at 7:44 AM, jean-frederic clere  
wrote:


On 8/30/23 17:33, Rainer Jung wrote:

Hi JFC,
I have not checked ur current code, but the topic reminds me of our 
history in mod_jk land. There we switched the counters to atomics 
were available. The other problematic part could be how to handle 
process local counters versus global counters.


Using apr_atomic_inc32()/apr_atomic_dec32 on apr_size_t busy won't work?
Actual apr_size_t for busy is probably overkill does using 
apr_atomic_add64() and apr_atomic_dec64() makes sense here?


Anyway I will give it a try.

Busyness was especially problematic for mod_jk as well, because we 
never deremented below zero if we lost increments, but if we lost 
decrements the counters stayed elevated. I think there we now have no 
longer such problems.

Best regards,
Rainer
Am 30.08.23 um 17:19 schrieb jean-frederic clere:

Hi,

All the balancers have thread/process safe issues, but with 
bybusyness the effect is worse, basically a worker may stay with a 
busy count greater than zero even no request is being processed.


busy is displayed in the balancer_handler() so users/customers will 
notice the value doesn't return to zero...


If you run a load test the value of busy will increase by time and 
in all the workers


When using bybusyness, having pics in the load and later no much 
load makes the lowest busy workers used and the ones with a wrong 
higher value not being used.


In a test with 3 workers, I end with busy:
worker1: 3
worker2: 0
worker3: 2
Doing the load test several time the buys values are increasing in 
all workers.


I am wondering is we could end with something like:
worker1: 1000
worker2: 0
worker3: 1000

in this case bybusyness will send all the load to worker2 until we 
reach 1000 simultaneous request on worker2... Obvious that looks bad.


How to fix that?
1 - reset the busy using a watchdog and elected (or 
transferred+read) unchanged for some time (using one of timeout we 
have on workers).
2 - warn in the docs that bybusyness is not the best choice for 
loadbalancing.

3 - create another balancer that just choose random a worker.


--
Cheers

Jean-Frederic




--
Cheers

Jean-Frederic

Re: balancers bybusyness, bytraffic and byrequest thread/process safe issues

[jean-frederic clere]

On 8/31/23 18:23, Jim Jagielski wrote:

IIRC, the goal of having an "aging" function was to handle this exact kind of 
thing, where values could be normalized over a long period of time so that old entries 
that may skew results are not weighted as heavily as new ones.


So the reset() and age() are for those?
struct proxy_balancer_method {
const char *name;/* name of the load balancer method*/
proxy_worker *(*finder)(proxy_balancer *balancer,
request_rec *r);
void*context;   /* general purpose storage */
apr_status_t (*reset)(proxy_balancer *balancer, server_rec *s);
apr_status_t (*age)(proxy_balancer *balancer, server_rec *s);
apr_status_t (*updatelbstatus)(proxy_balancer *balancer, 
proxy_worker *elected, server_rec *s);

};

There are not much doc nor example of use, correct?
Where can I find something?





On Aug 30, 2023, at 11:19 AM, jean-frederic clere  wrote:

Hi,

All the balancers have thread/process safe issues, but with bybusyness the 
effect is worse, basically a worker may stay with a busy count greater than 
zero even no request is being processed.

busy is displayed in the balancer_handler() so users/customers will notice the 
value doesn't return to zero...

If you run a load test the value of busy will increase by time and in all the 
workers

When using bybusyness, having pics in the load and later no much load makes the 
lowest busy workers used and the ones with a wrong higher value not being used.

In a test with 3 workers, I end with busy:
worker1: 3
worker2: 0
worker3: 2
Doing the load test several time the buys values are increasing in all workers.

I am wondering is we could end with something like:
worker1: 1000
worker2: 0
worker3: 1000

in this case bybusyness will send all the load to worker2 until we reach 1000 
simultaneous request on worker2... Obvious that looks bad.

How to fix that?
1 - reset the busy using a watchdog and elected (or transferred+read) unchanged 
for some time (using one of timeout we have on workers).
2 - warn in the docs that bybusyness is not the best choice for loadbalancing.
3 - create another balancer that just choose random a worker.

--
Cheers

Jean-Frederic




--
Cheers

Jean-Frederic

Re: balancers bybusyness, bytraffic and byrequest thread/process safe issues

[jean-frederic clere]

On 8/31/23 18:46, Rainer Jung wrote:

Hi there,

mod_jk for example uses such aging, but only for the non busyness case. 
busyness is meant to show the number of currently in-flight requests, so 
aging isn't a good fit there. Old load numbers are never part of 
busyness. But busyness is the mode that is most sensitive to the numer 
skew effects that JFC observed. Therefore that attempt to have more 
precise counting there.


Based on the mod_jk code, I have a PR:
https://github.com/apache/httpd/pull/383



It makes sense for byrequests and bytraffic though. But in mod_jk we use 
a different byrequests algorithm. Not the original count and decrement 
system that Mladen introduced but instead a count and age system.


The aging for byrequests and bytraffic could be hooked on mod_watchdog 
which is nice, because we would not need to run it as part of normal 
request handling.


I will look to the age() and other to see how to use it with byrequests 
and bytraffic.




Another thing that comes to my mind is (graceful) restart handlingan 
bybusyness. It might make sense to clear the numbers in case of such an 
event.


Best regards,

Rainer

Am 31.08.23 um 18:23 schrieb Jim Jagielski:
IIRC, the goal of having an "aging" function was to handle this exact 
kind of thing, where values could be normalized over a long period of 
time so that old entries that may skew results are not weighted as 
heavily as new ones.


On Aug 30, 2023, at 11:19 AM, jean-frederic clere  
wrote:


Hi,

All the balancers have thread/process safe issues, but with 
bybusyness the effect is worse, basically a worker may stay with a 
busy count greater than zero even no request is being processed.


busy is displayed in the balancer_handler() so users/customers will 
notice the value doesn't return to zero...


If you run a load test the value of busy will increase by time and in 
all the workers


When using bybusyness, having pics in the load and later no much load 
makes the lowest busy workers used and the ones with a wrong higher 
value not being used.


In a test with 3 workers, I end with busy:
worker1: 3
worker2: 0
worker3: 2
Doing the load test several time the buys values are increasing in 
all workers.


I am wondering is we could end with something like:
worker1: 1000
worker2: 0
worker3: 1000

in this case bybusyness will send all the load to worker2 until we 
reach 1000 simultaneous request on worker2... Obvious that looks bad.


How to fix that?
1 - reset the busy using a watchdog and elected (or transferred+read) 
unchanged for some time (using one of timeout we have on workers).
2 - warn in the docs that bybusyness is not the best choice for 
loadbalancing.

3 - create another balancer that just choose random a worker.

--
Cheers

Jean-Frederic

´


--
Cheers

Jean-Frederic

Re: balancers bybusyness, bytraffic and byrequest thread/process safe issues

[jean-frederic clere]

On 8/30/23 17:33, Rainer Jung wrote:

Hi JFC,

I have not checked ur current code, but the topic reminds me of our 
history in mod_jk land. There we switched the counters to atomics were 
available. The other problematic part could be how to handle process 
local counters versus global counters.


Using apr_atomic_inc32()/apr_atomic_dec32 on apr_size_t busy won't work?
Actual apr_size_t for busy is probably overkill does using 
apr_atomic_add64() and apr_atomic_dec64() makes sense here?


Anyway I will give it a try.



Busyness was especially problematic for mod_jk as well, because we never 
deremented below zero if we lost increments, but if we lost decrements 
the counters stayed elevated. I think there we now have no longer such 
problems.


Best regards,

Rainer

Am 30.08.23 um 17:19 schrieb jean-frederic clere:

Hi,

All the balancers have thread/process safe issues, but with bybusyness 
the effect is worse, basically a worker may stay with a busy count 
greater than zero even no request is being processed.


busy is displayed in the balancer_handler() so users/customers will 
notice the value doesn't return to zero...


If you run a load test the value of busy will increase by time and in 
all the workers


When using bybusyness, having pics in the load and later no much load 
makes the lowest busy workers used and the ones with a wrong higher 
value not being used.


In a test with 3 workers, I end with busy:
worker1: 3
worker2: 0
worker3: 2
Doing the load test several time the buys values are increasing in all 
workers.


I am wondering is we could end with something like:
worker1: 1000
worker2: 0
worker3: 1000

in this case bybusyness will send all the load to worker2 until we 
reach 1000 simultaneous request on worker2... Obvious that looks bad.


How to fix that?
1 - reset the busy using a watchdog and elected (or transferred+read) 
unchanged for some time (using one of timeout we have on workers).
2 - warn in the docs that bybusyness is not the best choice for 
loadbalancing.

3 - create another balancer that just choose random a worker.


--
Cheers

Jean-Frederic

balancers bybusyness, bytraffic and byrequest thread/process safe issues

[jean-frederic clere]

Hi,

All the balancers have thread/process safe issues, but with bybusyness 
the effect is worse, basically a worker may stay with a busy count 
greater than zero even no request is being processed.


busy is displayed in the balancer_handler() so users/customers will 
notice the value doesn't return to zero...


If you run a load test the value of busy will increase by time and in 
all the workers


When using bybusyness, having pics in the load and later no much load 
makes the lowest busy workers used and the ones with a wrong higher 
value not being used.


In a test with 3 workers, I end with busy:
worker1: 3
worker2: 0
worker3: 2
Doing the load test several time the buys values are increasing in all 
workers.


I am wondering is we could end with something like:
worker1: 1000
worker2: 0
worker3: 1000

in this case bybusyness will send all the load to worker2 until we reach 
1000 simultaneous request on worker2... Obvious that looks bad.


How to fix that?
1 - reset the busy using a watchdog and elected (or transferred+read) 
unchanged for some time (using one of timeout we have on workers).
2 - warn in the docs that bybusyness is not the best choice for 
loadbalancing.

3 - create another balancer that just choose random a worker.

--
Cheers

Jean-Frederic

tomcat and httpd track before July 13th! Final Reminder: Community Over Code call for presentations closing soon

[jean-frederic clere]

Hi,

Don't forget to submit talks ASAP to:
https://communityovercode.org/call-for-presentations/
there is a tomcat and httpd track for us.

Cheers

Jean-Frederic


 Forwarded Message 
Subject: Final Reminder: Community Over Code call for presentations 
closing soon

Date: Wed, 28 Jun 2023 16:09:34 -0400
From: Rich Bowen 
Reply-To: plann...@apachecon.com
Organization: The Apache Software Foundation
To: ApacheCon Planners 

[Note: You're receiving this email because you are subscribed to one or
more project dev@ mailing lists at the Apache Software Foundation.]

This is your final reminder that the Call for Presentations for
Community Over Code (formerly known as ApacheCon) is closing soon - on
Thursday, 13 July 2023 at 23:59:59 GMT.

https://communityovercode.org/call-for-presentations/

We are looking for talk proposals on all topics related to ASF projects
and open source software.

The event will be held in Halifax, Nova Scotia, Octiber 7th through
10th. More details about the event may be found on the event website at
https://communityovercode.org/

Rich, for the event planners

--
Cheers

Jean-Frederic

Re: build trunk in windows

[jean-frederic clere]

On 5/4/23 11:31, Yann Ylavic wrote:

On Wed, May 3, 2023 at 2:54 PM jean-frederic clere  wrote:


On 4/24/23 18:25, Steffen wrote:

There is a howto Building Apache and dependencies using CMake at

https://www.apachelounge.com/viewtopic.php?t=8609
<https://www.apachelounge.com/viewtopic.php?t=8609>




I ended fixing include/http_protocol.h see patch, did I miss something?


Looks like ap_h1_response_out_filter() is declared in
"include/mod_core.h" already, but without AP_CORE_DECLARE_NONSTD().
Not sure if we should remove the AP_CORE_DECLARE_NONSTD() in
"modules/http/http_filters.c" (where it's implemented) or add it in
the declaration. For instance ap_http_outerror_filter() has no
AP_CORE_DECLARE_NONSTD() anywhere..


OK I have fixed ap_h1_response_out_filter() to follow 
include/http_protocol.h




Regards;
Yann.


--
Cheers

Jean-Frederic

Re: svn commit: r1910327 - /httpd/httpd/branches/2.4.x/STATUS

[jean-frederic clere]

On 6/9/23 14:58, rpl...@apache.org wrote:

Author: rpluem
Date: Fri Jun  9 12:58:55 2023
New Revision: 1910327

URL: http://svn.apache.org/viewvc?rev=1910327=rev
Log:
* Vote and comment [skip ci]

Modified:
 httpd/httpd/branches/2.4.x/STATUS

Modified: httpd/httpd/branches/2.4.x/STATUS
URL: 
http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/STATUS?rev=1910327=1910326=1910327=diff
==
--- httpd/httpd/branches/2.4.x/STATUS (original)
+++ httpd/httpd/branches/2.4.x/STATUS Fri Jun  9 12:58:55 2023
@@ -213,6 +213,7 @@ PATCHES PROPOSED TO BACKPORT FROM TRUNK:
   Backport version for 2.4.x of patch:
https://raw.githubusercontent.com/jfclere/patch/main/mod_deflate.patch
   +1: jfclere,
+ rpluem says: Does anyone know why we don't merge the server config?


We have:
+++
create_deflate_dirconf,   /* dir config creater */
NULL, /* dir merger --- default is to 
override */

create_deflate_server_config, /* server config */
NULL, /* merge server config */
+++

Are you asking why? ;-)

  
*) mod_http2:

   - new directive 'H2MaxDataFrameLen n'
@@ -264,14 +265,14 @@ PATCHES PROPOSED TO BACKPORT FROM TRUNK:
https://svn.apache.org/r1908657
https://svn.apache.org/r1908150
   2.4.x patch: svn merge -c 1877350,1894021,1906379,1908657,1908150 
^/httpd/httpd/trunk .
- +1: jailletc36,
+ +1: jailletc36, rpluem
  
*) core: Optimize send_brigade_nonblocking()

   trunk patch:
  https://svn.apache.org/r1892450
  https://svn.apache.org/r1909966
   2.4.x patch: svn merge -c 1892450,1909966 ^/httpd/httpd/trunk .
- +1: jailletc36,
+ +1: jailletc36, rpluem
  
*) mod_proxy: If we fail to connect to all looked up IP's from the worker

   lookup cache it might be caused by a change on DNS side. Try another




--
Cheers

Jean-Frederic

Re: [VOTE] Switch read/write repository from Subversion to Git

[jean-frederic clere]

On 5/4/23 10:34, Ruediger Pluem wrote:

[X]: Move the read/write repository from Subversion to Git and leverage the 
features of Github (for now Actions and PR).


--
Cheers

Jean-Frederic

ProxyPass / balancer://qacluster/ vs ProxyPass / balancer://qacluster

[jean-frederic clere]

Hi,

The right syntax is ProxyPass / balancer://qacluster/ the other one 
gives something like:

"(scheme 'balancer'). If you are using a DSO version of mod_proxy".

Does it make sense to try to valid those ProxPass a bit better?

--
Cheers

Jean-Frederic

Re: build trunk in windows

[jean-frederic clere]

On 5/4/23 11:31, Yann Ylavic wrote:

On Wed, May 3, 2023 at 2:54 PM jean-frederic clere  wrote:


On 4/24/23 18:25, Steffen wrote:

There is a howto Building Apache and dependencies using CMake at

https://www.apachelounge.com/viewtopic.php?t=8609
<https://www.apachelounge.com/viewtopic.php?t=8609>




I ended fixing include/http_protocol.h see patch, did I miss something?


Looks like ap_h1_response_out_filter() is declared in
"include/mod_core.h" already, but without AP_CORE_DECLARE_NONSTD().
Not sure if we should remove the AP_CORE_DECLARE_NONSTD() in
"modules/http/http_filters.c" (where it's implemented) or add it in
the declaration. For instance ap_http_outerror_filter() has no
AP_CORE_DECLARE_NONSTD() anywhere..


so removing AP_CORE_DECLARE_NONSTD() in ./modules/http/http_filters.c is 
probably the smallest fix.


Putting AP_CORE_DECLARE_NONSTD() "everywhere" sounds weird to me ;-)

I will do that later this week-end, is that OK ;-)


Regards;
Yann.


--
Cheers

Jean-Frederic

Re: build trunk in windows

[jean-frederic clere]

On 4/24/23 18:25, Steffen wrote:

There is a howto Building Apache and dependencies using CMake at

https://www.apachelounge.com/viewtopic.php?t=8609 
<https://www.apachelounge.com/viewtopic.php?t=8609>





I ended fixing include/http_protocol.h see patch, did I miss something?




Op 24 apr. 2023 om 18:18 heeft jean-frederic clere  
het volgende geschreven:


On 4/24/23 13:36, Ruediger Pluem wrote:
I am not a Windows guy, but I guess the best way to build trunk on 
Windows is to use cmake which is integrated in later versions

of Visual studio.


So I need first apr, then apr-util, in apr-util
+++
-- Could NOT find OpenSSL, try to set the path to OpenSSL root folder 
in the system variable OPENSSL_ROOT_DIR (missing: 
OPENSSL_CRYPTO_LIBRARY OPENSSL_INCLUDE_DIR)

-- Could NOT find EXPAT (missing: EXPAT_LIBRARY EXPAT_INCLUDE_DIR)
CMake Error at CMakeLists.txt:36 (MESSAGE):
 APR include directory C:/Program Files (x86)/APR-Util/include is not
 correct.
+++
Are all libraries mandatory? (apr-util needs some and httpd some more).


Regards
Rüdiger
On 4/24/23 1:05 PM, jean-frederic clere wrote:

Hi,

I am trying to build httpd on windoze...

"The .dsp project files are distributed in Visual Studio 6.0 (98) 
format. Visual C++ 5.0 (97) will recognize them. Visual Studio
2002 (.NET) and later users must convert Apache.dsw plus the .dsp 
files into an Apache.sln plus .msproj files. Be sure you
reconvert the .msproj file again if its source .dsp file changes! 
This is really trivial, just open Apache.dsw in the VC++ 7.0 IDE

once again and reconvert."

Where can I find the VC++ 7.0 IDE to convert the .dsp I can't use?



--
Cheers

Jean-Frederic



--
Cheers

Jean-Frederic
Index: include/http_protocol.h
===
--- include/http_protocol.h (revision 1909191)
+++ include/http_protocol.h (working copy)
@@ -1321,6 +1321,7 @@
 
 AP_DECLARE_NONSTD(apr_status_t) ap_byterange_filter(ap_filter_t *f, 
apr_bucket_brigade *b);
 AP_DECLARE_NONSTD(apr_status_t) ap_http_header_filter(ap_filter_t *f, 
apr_bucket_brigade *b);
+AP_DECLARE_NONSTD(apr_status_t) ap_h1_response_out_filter(ap_filter_t *f, 
apr_bucket_brigade *b);
 AP_DECLARE_NONSTD(apr_status_t) ap_content_length_filter(ap_filter_t *,
   
apr_bucket_brigade *);
 AP_DECLARE_NONSTD(apr_status_t) ap_old_write_filter(ap_filter_t *f, 
apr_bucket_brigade *b);

Re: build trunk in windows

[jean-frederic clere]

On 4/24/23 13:36, Ruediger Pluem wrote:

I am not a Windows guy, but I guess the best way to build trunk on Windows is 
to use cmake which is integrated in later versions
of Visual studio.


So I need first apr, then apr-util, in apr-util
+++
-- Could NOT find OpenSSL, try to set the path to OpenSSL root folder in 
the system variable OPENSSL_ROOT_DIR (missing: OPENSSL_CRYPTO_LIBRARY 
OPENSSL_INCLUDE_DIR)

-- Could NOT find EXPAT (missing: EXPAT_LIBRARY EXPAT_INCLUDE_DIR)
CMake Error at CMakeLists.txt:36 (MESSAGE):
  APR include directory C:/Program Files (x86)/APR-Util/include is not
  correct.
+++
Are all libraries mandatory? (apr-util needs some and httpd some more).



Regards

Rüdiger

On 4/24/23 1:05 PM, jean-frederic clere wrote:

Hi,

I am trying to build httpd on windoze...

"The .dsp project files are distributed in Visual Studio 6.0 (98) format. 
Visual C++ 5.0 (97) will recognize them. Visual Studio
2002 (.NET) and later users must convert Apache.dsw plus the .dsp files into an 
Apache.sln plus .msproj files. Be sure you
reconvert the .msproj file again if its source .dsp file changes! This is 
really trivial, just open Apache.dsw in the VC++ 7.0 IDE
once again and reconvert."

Where can I find the VC++ 7.0 IDE to convert the .dsp I can't use?



--
Cheers

Jean-Frederic

build trunk in windows

[jean-frederic clere]

Hi,

I am trying to build httpd on windoze...

"The .dsp project files are distributed in Visual Studio 6.0 (98) 
format. Visual C++ 5.0 (97) will recognize them. Visual Studio 2002 
(.NET) and later users must convert Apache.dsw plus the .dsp files into 
an Apache.sln plus .msproj files. Be sure you reconvert the .msproj file 
again if its source .dsp file changes! This is really trivial, just open 
Apache.dsw in the VC++ 7.0 IDE once again and reconvert."


Where can I find the VC++ 7.0 IDE to convert the .dsp I can't use?

--
Cheers

Jean-Frederic

Re: graceful stop of child process in a module

[jean-frederic clere]

On 4/17/23 01:00, Eric Covener wrote:

On Fri, Apr 14, 2023 at 11:49 AM jean-frederic clere  wrote:


Hi,

I am try to gracefully stop a child process instead using ap_assert(0),
is there a "clean way" to do that?


I added something like this to our distribution in IBM to address a
hairy problem with our security library.

Each MPM already has a way to terminate the process due to
MaxRequestsPerChild, e.g. check_infinite_requests() in worker and
event or the block like this in winnt:

 /* Have we hit MaxConnectionsPerChild connections? */
 if (ap_max_requests_per_child) {
 requests_this_child++;
 if (requests_this_child > ap_max_requests_per_child) {
 SetEvent(max_requests_per_child_event);
 }
 }



I don't see how I can get the right event: max_requests_per_child_event. 
May be I need to remember more on windows :-(




If you look at the "mpm_get_name" hook, this gives a pattern where
each MPM can provide the impl itself. Then there would just be some
non-static thing in e.g. core.c that does the ap_run_foo part.


Something like ap_run_child_stopping(r->pool, 1); seems to do the job 
for event, prefork and worker... I am stuck for windows.


--
Cheers

Jean-Frederic

graceful stop of child process in a module

[jean-frederic clere]

Hi,

I am try to gracefully stop a child process instead using ap_assert(0), 
is there a "clean way" to do that?

--
Cheers

Jean-Frederic

Re: mod_watchdog.c looping for mutex?

[jean-frederic clere]

On 3/19/23 12:21, Yann Ylavic wrote:

On Sun, Mar 19, 2023 at 9:53 AM jean-frederic clere  wrote:


Hi,

While debugging I noted something in mod_watchdog.c
https://github.com/apache/httpd/blob/trunk/modules/core/mod_watchdog.c#L115

Shouldn't we have a else { } with a apr_sleep()?
Basically the thread is looping there :-(


Hm, it seems that there is a sleep() already here:
https://github.com/apache/httpd/blob/trunk/modules/core/mod_watchdog.c#L132
?


Oops sorry for the noise.




Regards;
Yann.


--
Cheers

Jean-Frederic

mod_watchdog.c looping for mutex?

[jean-frederic clere]

Hi,

While debugging I noted something in mod_watchdog.c
https://github.com/apache/httpd/blob/trunk/modules/core/mod_watchdog.c#L115

Shouldn't we have a else { } with a apr_sleep()?
Basically the thread is looping there :-(
--
Cheers

Jean-Frederic

Re: mod_wasm: Contributing Upstream to Apache

[jean-frederic clere]

On 11/14/22 07:37, Jesús González wrote:

Hi everyone,

I’m Jesús González, and I am part of VMware’s Wasm Labs: wasmlabs.dev 
<https://wasmlabs.dev/>, a group focused on creating open source tools 
for WebAssembly.


We have created mod_wasm, an Apachemodule for running WebAssembly 
binaries inside httpd, and we would like to contribute it upstream. 
Please see below for more details. We would love to get your feedback 
and understand what improvements would be needed (if any) before it 
could be considered for contribution to the project.


The details:

WebAssembly <https://webassembly.org/>(Wasm) is a new binary instruction 
format that is open, portable, efficient, secure, and polyglot. It 
originated in the browser but is increasingly used in server 
applications, in particular NGINX, Apache APISIX, Istio provide 
Wasm-based plugin support (i.e.: 
https://apisix.apache.org/docs/apisix/wasm/ 
<https://apisix.apache.org/docs/apisix/wasm/>).


mod_wasm is a way to run WebAssembly modules inside Apache Server. This 
is similar to how mod_php embeds a PHP runtime to run PHP code. This 
enables any language that supports WebAssembly (including C++, Rust, Go 
but also Python, PHP, Ruby) to run with mod_wasm and take advantage of 
the extra level of security and sandboxing. To learn more about mod_wasm 
you can check out the following resources:


  * An overviewarticle
<https://wasmlabs.dev/articles/apache-mod-wasm/>for the original
release.
  * We presented mod_wasm at ApacheCon this year and here are theslides

<https://apachecon.com/acna2022/slides/01_Gonz%c3%a1lez_mod-wasm_Bringing_WebAssembly.pdf>and
 the source code:https://github.com/vmware-labs/mod_wasm 
<https://github.com/vmware-labs/mod_wasm>.
  * CNCF Talk on mod_wasm showcasing how to run
WordPress:https://www.youtube.com/watch?v=jXe8kulUscQ
<https://www.youtube.com/watch?v=jXe8kulUscQ>

In terms of mod_wasm architecture, the module is split into two parts:

  * /mod_wasm.so/is the extension module for Apache and it’s written in C.
  * An external dependency:/libwasm_runtime.so/, which is written in
Rust and needs to be installed into the system.

We modelled this after mod_tls, a module that is part of httpd and also 
has a Rust dependency.


You can take a look at the architecture diagram and instructions on how 
to build the module 
here:https://github.com/vmware-labs/mod_wasm#%EF%B8%8F-building-mod_wasm 
<https://github.com/vmware-labs/mod_wasm#%EF%B8%8F-building-mod_wasm>


In terms of the actual contribution, please find a patch attached. We 
tried to follow all existing conventions in terms of autoconf/automake, 
providing module documentation, etc. Please let us know anything that 
you see missing or could be improved. In particular, we do not know yet 
if it is better to keep the Rust code separate, as an external 
dependency (like mod_tls does) or in the Apache source code repository.


In summary, we believe mod_wasm is a worthy addition to httpd and it 
will allow us to catch up to some of the other web servers already 
supporting Wasm, like NGINX. We were encouraged by Rich Bowen, Jim 
Jagielski and Jean-Frederic Clere to submit it for contribution upstream 
and we are looking forward to your feedback.


Today I have send some time of mod_wasm, basically I have build the 
module and the runtime and run the hello demo. Using 
https://github.com/vmware-labs/mod_wasm.git (main)


Reviewing that from a diff is hard, probably probably a PR again httpd 
(https://github.com/apache/httpd/tree/trunk for example) would more easy 
to review.


When trying to run the hello I noted that requires a big runtime 
(basically I had unresolved wasm_return_const_char_ownership() which 
comes from a rust file).


I also noted that the headers in the c and h file needs to updated.

And to clarify your goal is to donate the modules code and help to 
maintain it, correct?





Cheers!

Jesús



--
Cheers

Jean-Frederic

Re: [VOTE] Release libapreq2-2.17

[jean-frederic clere]

On 8/18/22 13:31, Joe Orton wrote:

[X] +1: It's not just good, it's good enough!


Tested on fedora 36

--
Cheers

Jean-Frederic

Re: problems with proxy worker and name_ex

[jean-frederic clere]

On 20/07/2022 11:09, Yann Ylavic wrote:

On Wed, Jul 20, 2022 at 10:43 AM jean-frederic clere  wrote:


Hi,

I think we have something wrong:
https://github.com/apache/httpd/blob/trunk/include/ap_mmn.h#L719
and
https://github.com/apache/httpd/blob/2.4.x/include/ap_mmn.h#L601

How external modules can detect that 2.4.x has diverged from trunk?


For 2.5.x/trunk (where PROXY_WORKER_MAX_NAME_SIZE bumped to 384):
#if AP_MODULE_MAGIC_AT_LEAST(20211221, 0)

For 2.4.x (where name_ex[PROXY_WORKER_EXT_NAME_SIZE] was added):
#if MODULE_MAGIC_NUMBER_MAJOR == 20120211 && MODULE_MAGIC_NUMBER_MINOR >= 124

?

Oops too tired today... Sorry for the noises... Thanks ;-)



Regards;
Yann.



--
Cheers

Jean-Frederic

problems with proxy worker and name_ex

[jean-frederic clere]

Hi,

I think we have something wrong:
https://github.com/apache/httpd/blob/trunk/include/ap_mmn.h#L719
and
https://github.com/apache/httpd/blob/2.4.x/include/ap_mmn.h#L601

How external modules can detect that 2.4.x has diverged from trunk?
--
Cheers

Jean-Frederic

Re: svn commit: r1899390 - in /httpd/httpd/trunk: CHANGES modules/proxy/mod_proxy.c modules/proxy/mod_proxy.h

[jean-frederic clere]

On 01/04/2022 13:41, Jim Jagielski wrote:
It was added in anticipation of the capability to be folded in, and done 
so "now" so that it would;t require any API changes.


Unless it's actually breaking something, I'd vote to simply keep it


OK I will try to propose some code to create the balancers I am still 
stuck how to create the memory slots for the workers of the those 
dynamic balancers.




On Apr 1, 2022, at 3:42 AM, jean-frederic clere <mailto:jfcl...@gmail.com>> wrote:


On 01/04/2022 08:47, jean-frederic clere wrote:

On 31/03/2022 12:59, Ruediger Pluem wrote:



On 3/31/22 12:34 PM, Stefan Eissing wrote:



Am 31.03.2022 um 11:55 schrieb Ruediger Pluem <mailto:rpl...@apache.org>>:




On 3/31/22 11:11 AM, Ruediger Pluem wrote:



On 3/30/22 4:42 PM, jfcl...@apache.org 
<mailto:jfcl...@apache.org> wrote:

Author: jfclere
Date: Wed Mar 30 14:42:14 2022
New Revision: 1899390

URL: http://svn.apache.org/viewvc?rev=1899390=rev 
<http://svn.apache.org/viewvc?rev=1899390=rev>

Log:
Add WorkerBalancerGrowth. To allow creation of workers
to dynamically added balancers.

Modified:
httpd/httpd/trunk/CHANGES
httpd/httpd/trunk/modules/proxy/mod_proxy.c
httpd/httpd/trunk/modules/proxy/mod_proxy.h

Modified: httpd/httpd/trunk/CHANGES
URL: 
http://svn.apache.org/viewvc/httpd/httpd/trunk/CHANGES?rev=1899390=1899389=1899390=diff 
<http://svn.apache.org/viewvc/httpd/httpd/trunk/CHANGES?rev=1899390=1899389=1899390=diff>

==
--- httpd/httpd/trunk/CHANGES [utf-8] (original)
+++ httpd/httpd/trunk/CHANGES [utf-8] Wed Mar 30 14:42:14 2022
@@ -1,6 +1,10 @@
-*- coding: utf-8 -*-
Changes with Apache 2.5.1

+ *) mod_proxy: Add WorkerBalancerGrowth to allow adding workers to
+ balancer created dynamically or via "empty" balancer://../ >

+ [Jean-Frederic Clere]


I am not sure why this is needed. You can already do this via

 growth=10>



Or

>
ProxySet growth=10



FYI: Travis trunk also fails almost completely. Does not seem to 
accept a proxy configuration.


This is because the if

+  if (!ap_strchr_c(conf->p, ':'))
+  return apr_pstrcat(cmd->pool, thiscmd->name,
+  "> arguments are not supported for non url.",
+  NULL);

should not return with an error, but just encapsulate the remainder 
of the block. And I think the further

return apr_pstrcat are also wrong.

But as said I am not sure about the purpose at all as you can 
already do, what the patch should provide if I understand the patch

correctly.
The purpose was to be able to add a balancer in the balancer-manager 
handle but that needs to pre-create the mutex and the slots for the 
workers.

While looking to that I noted that:
>

was doing nothing, the balancer is ignored, I should I revert the 
patch and add an error message if there is an empty entry like this one?


There is also the BalancerGrowth directive that does nothing else than 
creating a memory slot for balancers we never add/create in the 
balancer-manager, I am tempted to remove it...


Would it be better to add the missing logic? I have some pieces in 
mod_proxy_cluster (https://github.com/modcluster/mod_proxy_cluster 
<https://github.com/modcluster/mod_proxy_cluster>that could use the logic.


Regards

Rüdiger



--
Cheers

Jean-Frederic





--
Cheers

Jean-Frederic

Re: svn commit: r1899390 - in /httpd/httpd/trunk: CHANGES modules/proxy/mod_proxy.c modules/proxy/mod_proxy.h

[jean-frederic clere]

On 01/04/2022 10:03, Ruediger Pluem wrote:



On 4/1/22 8:47 AM, jean-frederic clere wrote:

On 31/03/2022 12:59, Ruediger Pluem wrote:



On 3/31/22 12:34 PM, Stefan Eissing wrote:




Am 31.03.2022 um 11:55 schrieb Ruediger Pluem :



On 3/31/22 11:11 AM, Ruediger Pluem wrote:



On 3/30/22 4:42 PM, jfcl...@apache.org wrote:

Author: jfclere
Date: Wed Mar 30 14:42:14 2022
New Revision: 1899390

URL: http://svn.apache.org/viewvc?rev=1899390=rev
Log:
Add WorkerBalancerGrowth. To allow creation of workers
to dynamically added balancers.

Modified:
httpd/httpd/trunk/CHANGES
httpd/httpd/trunk/modules/proxy/mod_proxy.c
httpd/httpd/trunk/modules/proxy/mod_proxy.h

Modified: httpd/httpd/trunk/CHANGES
URL: 
http://svn.apache.org/viewvc/httpd/httpd/trunk/CHANGES?rev=1899390=1899389=1899390=diff
==
--- httpd/httpd/trunk/CHANGES [utf-8] (original)
+++ httpd/httpd/trunk/CHANGES [utf-8] Wed Mar 30 14:42:14 2022
@@ -1,6 +1,10 @@
-*- coding: utf-8 -*-
Changes with Apache 2.5.1

+ *) mod_proxy: Add WorkerBalancerGrowth to allow adding workers to
+ balancer created dynamically or via "empty" 
+ [Jean-Frederic Clere]


I am not sure why this is needed. You can already do this via





Or


ProxySet growth=10



FYI: Travis trunk also fails almost completely. Does not seem to accept a proxy 
configuration.


This is because the if

+    if (!ap_strchr_c(conf->p, ':'))
+    return apr_pstrcat(cmd->pool, thiscmd->name,
+   "> arguments are not supported for non url.",
+   NULL);

should not return with an error, but just encapsulate the remainder of the 
block. And I think the further
return apr_pstrcat are also wrong.

But as said I am not sure about the purpose at all as you can already do, what 
the patch should provide if I understand the patch
correctly.


The purpose was to be able to add a balancer in the balancer-manager handle but 
that needs to pre-create the mutex and the slots
for the workers.

While looking to that I noted that:



was doing nothing, the balancer is ignored, I should I revert the patch and add 
an error message if there is an empty entry like
this one?


Do




or


ProxySet growth=10


work and do what you want? If yes, please revert.


Sure I have a PR to revert, waiting on travis...


Feel free to add a detection for such empty proxy blocks. I think a warning
should be sufficient. How do you want to detect this? By inspecting 
new_dir_conf after ap_walk_config was executed?


putting it in the proxysection() is not the best, correct?



Regards

Rüdiger



--
Cheers

Jean-Frederic

Re: svn commit: r1899390 - in /httpd/httpd/trunk: CHANGES modules/proxy/mod_proxy.c modules/proxy/mod_proxy.h

[jean-frederic clere]

On 31/03/2022 12:34, Stefan Eissing wrote:




Am 31.03.2022 um 11:55 schrieb Ruediger Pluem :



On 3/31/22 11:11 AM, Ruediger Pluem wrote:



On 3/30/22 4:42 PM, jfcl...@apache.org wrote:

Author: jfclere
Date: Wed Mar 30 14:42:14 2022
New Revision: 1899390

URL: http://svn.apache.org/viewvc?rev=1899390=rev
Log:
Add WorkerBalancerGrowth. To allow creation of workers
to dynamically added balancers.

Modified:
httpd/httpd/trunk/CHANGES
httpd/httpd/trunk/modules/proxy/mod_proxy.c
httpd/httpd/trunk/modules/proxy/mod_proxy.h

Modified: httpd/httpd/trunk/CHANGES
URL: 
http://svn.apache.org/viewvc/httpd/httpd/trunk/CHANGES?rev=1899390=1899389=1899390=diff
==
--- httpd/httpd/trunk/CHANGES [utf-8] (original)
+++ httpd/httpd/trunk/CHANGES [utf-8] Wed Mar 30 14:42:14 2022
@@ -1,6 +1,10 @@
-*- coding: utf-8 -*-
Changes with Apache 2.5.1

+ *) mod_proxy: Add WorkerBalancerGrowth to allow adding workers to
+ balancer created dynamically or via "empty" 
+ [Jean-Frederic Clere]


I am not sure why this is needed. You can already do this via





Or


ProxySet growth=10



FYI: Travis trunk also fails almost completely. Does not seem to accept a proxy 
configuration.


I have done the PR and I am now waiting on Travis.





Regards

Rüdiger





--
Cheers

Jean-Frederic

Re: svn commit: r1899390 - in /httpd/httpd/trunk: CHANGES modules/proxy/mod_proxy.c modules/proxy/mod_proxy.h

[jean-frederic clere]

On 01/04/2022 08:47, jean-frederic clere wrote:

On 31/03/2022 12:59, Ruediger Pluem wrote:



On 3/31/22 12:34 PM, Stefan Eissing wrote:




Am 31.03.2022 um 11:55 schrieb Ruediger Pluem :



On 3/31/22 11:11 AM, Ruediger Pluem wrote:



On 3/30/22 4:42 PM, jfcl...@apache.org wrote:

Author: jfclere
Date: Wed Mar 30 14:42:14 2022
New Revision: 1899390

URL: http://svn.apache.org/viewvc?rev=1899390=rev
Log:
Add WorkerBalancerGrowth. To allow creation of workers
to dynamically added balancers.

Modified:
httpd/httpd/trunk/CHANGES
httpd/httpd/trunk/modules/proxy/mod_proxy.c
httpd/httpd/trunk/modules/proxy/mod_proxy.h

Modified: httpd/httpd/trunk/CHANGES
URL: 
http://svn.apache.org/viewvc/httpd/httpd/trunk/CHANGES?rev=1899390=1899389=1899390=diff 

== 


--- httpd/httpd/trunk/CHANGES [utf-8] (original)
+++ httpd/httpd/trunk/CHANGES [utf-8] Wed Mar 30 14:42:14 2022
@@ -1,6 +1,10 @@
-*- coding: utf-8 -*-
Changes with Apache 2.5.1

+ *) mod_proxy: Add WorkerBalancerGrowth to allow adding workers to
+ balancer created dynamically or via "empty" 
+ [Jean-Frederic Clere]


I am not sure why this is needed. You can already do this via





Or


ProxySet growth=10



FYI: Travis trunk also fails almost completely. Does not seem to 
accept a proxy configuration.


This is because the if

+    if (!ap_strchr_c(conf->p, ':'))
+    return apr_pstrcat(cmd->pool, thiscmd->name,
+   "> arguments are not supported for non 
url.",

+   NULL);

should not return with an error, but just encapsulate the remainder of 
the block. And I think the further

return apr_pstrcat are also wrong.

But as said I am not sure about the purpose at all as you can already 
do, what the patch should provide if I understand the patch

correctly.


The purpose was to be able to add a balancer in the balancer-manager 
handle but that needs to pre-create the mutex and the slots for the 
workers.


While looking to that I noted that:



was doing nothing, the balancer is ignored, I should I revert the patch 
and add an error message if there is an empty entry like this one?


There is also the BalancerGrowth directive that does nothing else than 
creating a memory slot for balancers we never add/create in the 
balancer-manager, I am tempted to remove it...


Would it be better to add the missing logic? I have some pieces in 
mod_proxy_cluster (https://github.com/modcluster/mod_proxy_cluster that 
could use the logic.




Regards

Rüdiger






--
Cheers

Jean-Frederic

Re: svn commit: r1899390 - in /httpd/httpd/trunk: CHANGES modules/proxy/mod_proxy.c modules/proxy/mod_proxy.h

[jean-frederic clere]

On 31/03/2022 12:59, Ruediger Pluem wrote:



On 3/31/22 12:34 PM, Stefan Eissing wrote:




Am 31.03.2022 um 11:55 schrieb Ruediger Pluem :



On 3/31/22 11:11 AM, Ruediger Pluem wrote:



On 3/30/22 4:42 PM, jfcl...@apache.org wrote:

Author: jfclere
Date: Wed Mar 30 14:42:14 2022
New Revision: 1899390

URL: http://svn.apache.org/viewvc?rev=1899390=rev
Log:
Add WorkerBalancerGrowth. To allow creation of workers
to dynamically added balancers.

Modified:
httpd/httpd/trunk/CHANGES
httpd/httpd/trunk/modules/proxy/mod_proxy.c
httpd/httpd/trunk/modules/proxy/mod_proxy.h

Modified: httpd/httpd/trunk/CHANGES
URL: 
http://svn.apache.org/viewvc/httpd/httpd/trunk/CHANGES?rev=1899390=1899389=1899390=diff
==
--- httpd/httpd/trunk/CHANGES [utf-8] (original)
+++ httpd/httpd/trunk/CHANGES [utf-8] Wed Mar 30 14:42:14 2022
@@ -1,6 +1,10 @@
-*- coding: utf-8 -*-
Changes with Apache 2.5.1

+ *) mod_proxy: Add WorkerBalancerGrowth to allow adding workers to
+ balancer created dynamically or via "empty" 
+ [Jean-Frederic Clere]


I am not sure why this is needed. You can already do this via





Or


ProxySet growth=10



FYI: Travis trunk also fails almost completely. Does not seem to accept a proxy 
configuration.


This is because the if

+if (!ap_strchr_c(conf->p, ':'))
+return apr_pstrcat(cmd->pool, thiscmd->name,
+   "> arguments are not supported for non url.",
+   NULL);

should not return with an error, but just encapsulate the remainder of the 
block. And I think the further
return apr_pstrcat are also wrong.

But as said I am not sure about the purpose at all as you can already do, what 
the patch should provide if I understand the patch
correctly.


The purpose was to be able to add a balancer in the balancer-manager 
handle but that needs to pre-create the mutex and the slots for the workers.


While looking to that I noted that:



was doing nothing, the balancer is ignored, I should I revert the patch 
and add an error message if there is an empty entry like this one?




Regards

Rüdiger



--
Cheers

Jean-Frederic

Re: HTTP and HTTP/1.x separation

[jean-frederic clere]

On 30/03/2022 11:11, Stefan Eissing wrote:




Am 28.03.2022 um 15:52 schrieb jean-frederic clere :

On 24/03/2022 13:21, Stefan Eissing wrote:

You are invited to have a look at my PR for separating HTTP/1.x processing from
generic HTTP protocol handling and verification:
https://github.com/apache/httpd/pull/291
I made a description of the changes in the PR that helps reviewing it (I hope).
"Changes appear larger than they really are"
A lot is code split+move from mod_http to mod_http1. In mod_http2, changes are
mainly removals of quirks necessary so far.
Kind Regards,
Stefan


Something fishy:
http/1.1:
+++

< HTTP/1.1 200 OK
< Date: Mon, 28 Mar 2022 13:48:23 GMT
< Server: Apache/2.5.1-dev (Unix) OpenSSL/1.1.1n
< Last-Modified: Fri, 25 Mar 2022 15:47:39 GMT
< ETag: "bf-5db0ce1e1e93e"
< Accept-Ranges: bytes
< Content-Length: 191
< Content-Type: text/html

+++
http/2:
+++
< HTTP/2 200
< last-modified: Fri, 25 Mar 2022 15:47:39 GMT
< etag: "bf-5db0ce1e1e93e"
< accept-ranges: bytes
< content-length: 191
< content-type: text/html
+++

Did I miss something?


Just added the fix to the PR:

   *) core, mod_http1, mod_http: moved the handling of the standard
  response headers `Date` and `Server` from mod_http1 into the
  generic HTTP protocol handling.
  Response buckets not always carry those headers (values preserved
  from proxied responses), irregardless of the HTTP protocol
  versions involved.
  mod_http1: the serialization of response header into HTTP/1.x
  format always writes `Date` and `Server` first if present. This
  assured backward compatibility with clients who are accustomed
  to this order.


Thanks my tests are passing now.



Kind Regards,

Stefan



--
Cheers

Jean-Frederic






--
Cheers

Jean-Frederic

Re: Support JSON output in mod_status and mod_info

[jean-frederic clere]

On 28/03/2022 14:28, Rainer Jung wrote:


I am thinking about adding a JSON output format to mod_status and 
mod_info as an option controlled by a query string parameter.


Since writing simple data structures from these modules is much simpler 
than parsing and processing a JSON structure, I would expect it to be 
based on simple ap_rputs() and ap_rprintf() like we already use it for 
auto (text) and HTML output. IMHO no need for a JSON library just for 
this use case.


Of course, this will slightly bloat the code with "if" statements and 
roughly double the amount of ap_rputs() and ap_rprintf().


For mod_status this probably means introduction of a new AP_STATUS_JSON 
value, so that in theory other modules could in the future update their 
status extensions with JSON support. In the meantime it might mean, that 
if a modules extends mod_status output, the result when asking for JSON 
output is no valid JSON (mix between mod_status JSON and mod_something 
providing HTML or text). For our own modules, especially mod_proxy, this 
can of course be fixed (and I will fix this). For mod_info, we do not 
have such an extension problem wrt. 3rd-party modules.


Any comments up-front before I try to prototype this?


+1 ;-)



Thanks and regards,

Rainer



--
Cheers

Jean-Frederic

Re: HTTP and HTTP/1.x separation

[jean-frederic clere]

On 28/03/2022 17:25, Stefan Eissing wrote:

Correct. When I first tried, the perl http2 framework was not very mature


Yep the perl http2 module looks abandoned :-(

--
Cheers

Jean-Frederic

Re: HTTP and HTTP/1.x separation

[jean-frederic clere]

On 28/03/2022 16:03, Stefan Eissing wrote:




Am 28.03.2022 um 15:52 schrieb jean-frederic clere :

On 24/03/2022 13:21, Stefan Eissing wrote:

You are invited to have a look at my PR for separating HTTP/1.x processing from
generic HTTP protocol handling and verification:
https://github.com/apache/httpd/pull/291
I made a description of the changes in the PR that helps reviewing it (I hope).
"Changes appear larger than they really are"
A lot is code split+move from mod_http to mod_http1. In mod_http2, changes are
mainly removals of quirks necessary so far.
Kind Regards,
Stefan


Something fishy:
http/1.1:
+++

< HTTP/1.1 200 OK
< Date: Mon, 28 Mar 2022 13:48:23 GMT
< Server: Apache/2.5.1-dev (Unix) OpenSSL/1.1.1n
< Last-Modified: Fri, 25 Mar 2022 15:47:39 GMT
< ETag: "bf-5db0ce1e1e93e"
< Accept-Ranges: bytes
< Content-Length: 191
< Content-Type: text/html

+++
http/2:
+++
< HTTP/2 200
< last-modified: Fri, 25 Mar 2022 15:47:39 GMT
< etag: "bf-5db0ce1e1e93e"
< accept-ranges: bytes
< content-length: 191
< content-type: text/html
+++

Did I miss something?


No, you found something. The generic server headers are not applied, it seems. 
Will look into this and add a test.


--
Cheers

Jean-Frederic





I think we have NO http/2 tests in the httpd-framework test, correct?

--
Cheers

Jean-Frederic

Re: HTTP and HTTP/1.x separation

[jean-frederic clere]

On 24/03/2022 13:21, Stefan Eissing wrote:

You are invited to have a look at my PR for separating HTTP/1.x processing from
generic HTTP protocol handling and verification:

https://github.com/apache/httpd/pull/291

I made a description of the changes in the PR that helps reviewing it (I hope).

"Changes appear larger than they really are"

A lot is code split+move from mod_http to mod_http1. In mod_http2, changes are
mainly removals of quirks necessary so far.


Kind Regards,
Stefan



Something fishy:
http/1.1:
+++

< HTTP/1.1 200 OK
< Date: Mon, 28 Mar 2022 13:48:23 GMT
< Server: Apache/2.5.1-dev (Unix) OpenSSL/1.1.1n
< Last-Modified: Fri, 25 Mar 2022 15:47:39 GMT
< ETag: "bf-5db0ce1e1e93e"
< Accept-Ranges: bytes
< Content-Length: 191
< Content-Type: text/html

+++
http/2:
+++
< HTTP/2 200
< last-modified: Fri, 25 Mar 2022 15:47:39 GMT
< etag: "bf-5db0ce1e1e93e"
< accept-ranges: bytes
< content-length: 191
< content-type: text/html
+++

Did I miss something?

--
Cheers

Jean-Frederic

Re: httpd-framework problem.

[jean-frederic clere]

On 28/03/2022 12:00, jean-frederic clere wrote:

Hi,

I have the following message with the framework:
+++

t/modules/proxy_websockets.t  lib/Math/Random/ISAAC/XS.c: 
loadable library and perl binaries are mismatched (got handshake key 
0xed00080, needed 0xeb00080)
t/modules/proxy_websockets.t  Dubious, test returned 1 (wstat 
256, 0x100)

+++

Anyone one has an idea? If no I will look in details later today ;-)



forget it... my bad rm -rf ~/perl5 and reinstall fixes it.

--
Cheers

Jean-Frederic

httpd-framework problem.

[jean-frederic clere]

Hi,

I have the following message with the framework:
+++

t/modules/proxy_websockets.t  lib/Math/Random/ISAAC/XS.c: 
loadable library and perl binaries are mismatched (got handshake key 
0xed00080, needed 0xeb00080)
t/modules/proxy_websockets.t  Dubious, test returned 1 (wstat 
256, 0x100)

+++

Anyone one has an idea? If no I will look in details later today ;-)

--
Cheers

Jean-Frederic

Re: svn commit: r1891321 - in /httpd/test/framework/trunk/t: conf/proxy.conf.in modules/proxy_balancer.t

[jean-frederic clere]

On 07/07/2021 09:00, Ruediger Pluem wrote:



On 7/6/21 6:56 PM, jfcl...@apache.org wrote:

Author: jfclere
Date: Tue Jul  6 16:56:47 2021
New Revision: 1891321

URL: http://svn.apache.org/viewvc?rev=1891321=rev
Log:
Add tests for dynamic part of mod_proxy_balancer.

Modified:
 httpd/test/framework/trunk/t/conf/proxy.conf.in
 httpd/test/framework/trunk/t/modules/proxy_balancer.t




Modified: httpd/test/framework/trunk/t/modules/proxy_balancer.t
URL: 
http://svn.apache.org/viewvc/httpd/test/framework/trunk/t/modules/proxy_balancer.t?rev=1891321=1891320=1891321=diff
==
--- httpd/test/framework/trunk/t/modules/proxy_balancer.t (original)
+++ httpd/test/framework/trunk/t/modules/proxy_balancer.t Tue Jul  6 16:56:47 
2021



@@ -54,4 +87,39 @@ foreach my $t (@echos) {
  skip $skipbodyfailover, t_cmp($r->content, $t, "response body echoed");
  }
  
+# test dynamic part

+$r = GET("/balancer-manager");
+ok t_cmp($r->code, 200, "Can't find balancer-manager");
+
+# get the nonce and add a worker
+my $result = GetNonce("/balancer-manager", "dynproxy");
+
+my $query = 
"b_lbm=byrequests_tmo=0_max=0_sforce=0_ss=_nwrkr=ajp%3A%2F%2F%5B0%3A0%3A0%3A0%3A0%3A0%3A0%3A1%5D%3A8080_wyes=1=dynproxy="
 . $result;
+my @proxy_balancer_headers;
+my $vars   = Apache::Test::vars();
+push @proxy_balancer_headers, "Referer" => "http://; . $vars->{servername} . ":" . 
$vars->{port} . "/balancer-manager";
+
+# First try with the referer it should fail.


s/with/without/ ?


Oops fixed, thanks.




+if (have_min_apache_version("2.4.41")) {
+  $r = POST("/balancer-manager", content => $query);
+  ok t_cmp($r->code, 200, "request failed");
+  ok !t_cmp($r->content, qr/ajp/, "AJP worker created");
+}
  


Regards

Rüdiger




--
Cheers

Jean-Frederic

PROXY_WORKER_FREE and PROXY_WORKER_DRAIN

[jean-frederic clere]

Hi,

Actually those are not used, what was the idea when creating them?

Guessing  mark the worker as DRAIN (for draining) and later as FREE for 
reuse..., but how to define a FREE worker? Basically how to be sure it 
completely drained.


Comments?
--
Cheers

Jean-Frederic

Re: svn commit: r1890945 - /httpd/httpd/branches/2.4.x/STATUS

[jean-frederic clere]

On 21/06/2021 18:45, minf...@apache.org wrote:

Author: minfrin
Date: Mon Jun 21 16:45:25 2021
New Revision: 1890945

URL: http://svn.apache.org/viewvc?rev=1890945=rev
Log:
Comment.

Modified:
 httpd/httpd/branches/2.4.x/STATUS

Modified: httpd/httpd/branches/2.4.x/STATUS
URL: 
http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/STATUS?rev=1890945=1890944=1890945=diff
==
--- httpd/httpd/branches/2.4.x/STATUS (original)
+++ httpd/httpd/branches/2.4.x/STATUS Mon Jun 21 16:45:25 2021
@@ -164,6 +164,7 @@ PATCHES PROPOSED TO BACKPORT FROM TRUNK:
   Backport version for 2.4.x of patch:
https://people.apache.org/~jfclere/patches/patch.210607.txt
   +1: jfclere, jim
+ minfrin: tiny cleanup needed: warning: unused function 'safe_referer'
  
 *) back port: Add CPING to health check logic.

   Trunk version of patch:




Oops it seems I have removed too much stuff in my backport I guess I 
need a new propose, thanks for checking.


--
Cheers

Jean-Frederic

Re: mod_proxy / mod_ssl interworking

[jean-frederic clere]

On 01/06/2021 19:37, Stefan Eissing wrote:




Am 01.06.2021 um 18:21 schrieb jean-frederic clere :

On 01/06/2021 16:40, Stefan Eissing wrote:

Am 01.06.2021 um 16:39 schrieb Stefan Eissing :

PR on trunk, for review and commenting: https://github.com/apache/httpd/pull/190

This change makes it possible to have more than one SSL module handling proxy 
connections. The intention is to do this in a backward compatible way, like the 
previous ap_ssl_* changes.

The addition of a `conn_rec->outgoing` flag, set for these connections, makes 
it easy for any connection handling code to filter on the types of connections it 
is interested in.

Our test suite runs fine with these changes.

He said while Travis is still running...optimistic as always...


https://github.com/apache/httpd/pull/190/commits/867fa126f21575f104a1717ac49eaf1d8a558d77#diff-5506c76bad00bf136938033783d8d966bc463de54a679d3a8a390621b7a793c1R131

Should that be filled "automagically"?


How would you advise in filling that out before I commit to trunk?



I was thinking of telling this build something like ignore the PR it is 
for review but that is too complex for nearly no benefits. Sorry for 
noises.


--
Cheers

Jean-Frederic

Re: mod_proxy / mod_ssl interworking

[jean-frederic clere]

On 01/06/2021 16:40, Stefan Eissing wrote:




Am 01.06.2021 um 16:39 schrieb Stefan Eissing :

PR on trunk, for review and commenting: https://github.com/apache/httpd/pull/190

This change makes it possible to have more than one SSL module handling proxy 
connections. The intention is to do this in a backward compatible way, like the 
previous ap_ssl_* changes.

The addition of a `conn_rec->outgoing` flag, set for these connections, makes 
it easy for any connection handling code to filter on the types of connections it 
is interested in.

Our test suite runs fine with these changes.


He said while Travis is still running...optimistic as always...



https://github.com/apache/httpd/pull/190/commits/867fa126f21575f104a1717ac49eaf1d8a558d77#diff-5506c76bad00bf136938033783d8d966bc463de54a679d3a8a390621b7a793c1R131

Should that be filled "automagically"?

--
Cheers

Jean-Frederic

Re: svn commit: r1879145 - in /httpd/httpd/trunk: include/ap_mmn.h modules/proxy/mod_proxy.c modules/proxy/mod_proxy.h

[jean-frederic clere]

On 24/06/2020 12:16, yla...@apache.org wrote:

Author: ylavic
Date: Wed Jun 24 10:16:06 2020
New Revision: 1879145

URL: http://svn.apache.org/viewvc?rev=1879145=rev
Log:
Follow up to r1879080: replace ProxyUseOriginalURI by mapping=encoded.

Instead of having a separate ProxyUseOriginalURI directive to control pre_ vs
normal translate stage, let's handle this at each ProxyPass level, with the
mapping= parameter.


Any plans to document the feature? If not, I will prepare tests and docs ;-)

Cheers

Jean-Frederic

Re: [VOTE] Release httpd-2.4.48

[jean-frederic clere]

On 17/05/2021 23:36, Christophe JAILLET wrote:

[X] +1: It's not just good, it's good enough!


Tests are OK on fedora 34.

Note that we miss the back port of 
https://github.com/apache/httpd/pull/186 for GCC11 for the 
--enable-maintainer-mode


--
Cheers

Jean-Frederic

Re: htcacheclean.c error when compiling with apr-1.6.x and apr-1.7.x

[jean-frederic clere]

On 07/05/2021 11:12, Joe Orton wrote:

On Tue, May 04, 2021 at 09:12:04AM +0200, jean-frederic clere wrote:

On 04/05/2021 08:59, jean-frederic clere wrote:

...

In file included from htcacheclean.c:36:
htcacheclean.c: In function ‘process_dir’:
/home/jfclere/APR-1.7.x/include/apr-1/apr_ring.h:183:37: error: array
subscript ‘struct _direntry[0]’ is partly outside array bounds of
‘struct [1]’ [-Werror=array-bounds]
    183 | #define APR_RING_PREV(ep, link) (ep)->link.prev
    | ^~
/home/jfclere/APR-1.7.x/include/apr-1/apr_ring.h:230:38: note: in
expansion of macro ‘APR_RING_PREV’
    230 | APR_RING_PREV((ep1), link) = APR_RING_PREV((lep),
link);    \
    |
+++

Before looking more closely to the problem I have a question, trunk
should be building with apr 1.7.x and apr-util 1.6.x correct?

I used to build with apr 1.6.x and apr-util 1.6.x but something looks
broken now.


Or is that a regression in gcc on fedora34? :-(


It seems to be new with GCC 11, these are warnings which become errors
you since are using --enable-maintainer-mode.


Correct that is the problem: Fedora34 updated gcc.

I have reported a bz:
https://bugzilla.redhat.com/show_bug.cgi?id=1957353

I will close it with a link to the fix once you commit the fix ;-)




The extensive use of APR_RING* is warning-free in all the APR bucket
brigade code even with GCC 11, it is the different way the ring API is
used in both htcacheclean and event/simple which which is triggering
warnings here.

In both case we have an APR_RING_ENTRY declared outside of the structure
which they are embedded in.  Perhaps this is one of the implications
warned about in apr_ring.h:

https://svn.apache.org/viewvc/apr/apr/trunk/include/apr_ring.h?revision=1074876=markup#l65

It seems trivial to fix the warning by using the link as embedded in the
structure (attached), though I haven't tested this.


Tested. +1 to merge it ;-)



Regards, Joe





--
Cheers

Jean-Frederic

reporting the bytes read and transferred to the worker from the tunnel

[jean-frederic clere]

Hi,

I have noted that when using websocket the bytes read and transfered by 
the worker when using the tunnel are not taken in account.


I have a patch attached, for comments ;-)

Any better ideas how to fix that?

--
Cheers

Jean-Frederic
Index: mod_proxy.h
===
--- mod_proxy.h (revision 1889510)
+++ mod_proxy.h (working copy)
@@ -1470,10 +1470,25 @@
apr_bucket_brigade 
*bb_i,
apr_bucket_brigade 
*bb_o,
const char *name,
-   int *sent,
+   apr_off_t *sent,
apr_off_t bsize,
int flags);
 
+/* 
+ * returns number of bytes read from the back end tunnel
+ * @param ptunnel proxy_tunnel_rec use during the tunnelling.
+ * @return  apr_off_t number of bytes read.
+ */
+PROXY_DECLARE (apr_off_t) ap_proxy_tunnel_conn_get_read(
+   proxy_tunnel_rec 
*ptunnel);
+/*
+ * returns number of bytes sent to the back end tunnel
+ * @param ptunnel proxy_tunnel_rec use during the tunnelling.
+ * @return  apr_off_t number of bytes sent.
+ */
+PROXY_DECLARE (apr_off_t) ap_proxy_tunnel_conn_get_transferred(
+   proxy_tunnel_rec 
*ptunnel);
+
 extern module PROXY_DECLARE_DATA proxy_module;
 
 #endif /*MOD_PROXY_H*/
Index: mod_proxy_http.c
===
--- mod_proxy_http.c(revision 1889510)
+++ mod_proxy_http.c(working copy)
@@ -1542,6 +1542,8 @@
 r->status = status;
 }
 
+backend->worker->s->read = backend->worker->s->read + 
ap_proxy_tunnel_conn_get_read(req->tunnel);
+backend->worker->s->transferred = backend->worker->s->transferred 
+ ap_proxy_tunnel_conn_get_transferred(req->tunnel);
 /* We are done with both connections */
 r->connection->keepalive = AP_CONN_CLOSE;
 backend->close = 1;
Index: proxy_util.c
===
--- proxy_util.c(revision 1889510)
+++ proxy_util.c(working copy)
@@ -4404,7 +4404,7 @@
apr_bucket_brigade 
*bb_i,
apr_bucket_brigade 
*bb_o,
const char *name,
-   int *sent,
+   apr_off_t *sent,
apr_off_t bsize,
int flags)
 {
@@ -4411,9 +4411,7 @@
 apr_status_t rv;
 int flush_each = 0;
 unsigned int num_reads = 0;
-#ifdef DEBUGGING
 apr_off_t len;
-#endif
 
 /*
  * Compat: since FLUSH_EACH is default (and zero) for legacy reasons, we
@@ -4456,7 +4454,6 @@
 if (APR_BRIGADE_EMPTY(bb_i)) {
 break;
 }
-#ifdef DEBUGGING
 len = -1;
 apr_brigade_length(bb_i, 0, );
 ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(03306)
@@ -4463,9 +4460,8 @@
   "ap_proxy_transfer_between_connections: "
   "read %" APR_OFF_T_FMT
   " bytes from %s", len, name);
-#endif
-if (sent) {
-*sent = 1;
+if (sent && len > 0) {
+*sent = *sent + len;
 }
 ap_proxy_buckets_lifetime_transform(r, bb_i, bb_o);
 if (flush_each) {
@@ -4559,8 +4555,18 @@
 
 unsigned int down_in:1,
  down_out:1;
+apr_off_t exchanged;
 };
 
+PROXY_DECLARE(apr_off_t) ap_proxy_tunnel_conn_get_read(proxy_tunnel_rec 
*ptunnel)
+{
+return ptunnel->origin->exchanged;
+}
+PROXY_DECLARE(apr_off_t) ap_proxy_tunnel_conn_get_transferred(proxy_tunnel_rec 
*ptunnel)
+{
+return ptunnel->client->exchanged;
+}
+
 PROXY_DECLARE(apr_status_t) ap_proxy_tunnel_create(proxy_tunnel_rec **ptunnel,
request_rec *r, conn_rec 
*c_o,
const char *scheme)
@@ -4693,7 +4699,7 @@
 {
 struct proxy_tunnel_conn *out = in->other;
 apr_status_t rv;
-int sent = 0;
+apr_off_t sent = 0;
 
 ap_log_rerror(APLOG_MARK, APLOG_TRACE8, 0, tunnel->r,
   "proxy: %s: %s input ready",
@@ -4709,6 +4715,9 @@
 if (sent && out == tunnel->client) {
 tunnel->replied = 1;
 }
+
+in->exchanged = in->exchanged + sent;
+
 if (rv != APR_SUCCESS) {
 if (APR_STATUS_IS_INCOMPLETE(rv)) {

Re: htcacheclean.c error when compiling with apr-1.6.x and apr-1.7.x

[jean-frederic clere]

On 04/05/2021 08:59, jean-frederic clere wrote:

Hi,

I have the following:
+++
/home/jfclere/APR-1.7.x/build-1/libtool --silent --mode=compile gcc  -g 
-O2 -pthread -std=c89 -Werror -Wall -Wstrict-prototypes 
-Wmissing-prototypes -Wmissing-declarations 
-Wdeclaration-after-statement -Wpointer-arith -Wformat -Wformat-security 
-Wunused -DLINUX -D_REENTRANT -D_GNU_SOURCE -DAP_DEBUG    -I. 
-I/home/jfclere/httpd-trunk/os/unix -I/home/jfclere/httpd-trunk/include 
-I/home/jfclere/APR-1.7.x/include/apr-1 
-I/home/jfclere/APU-1.6.x/include/apr-1 
-I/home/jfclere/httpd-trunk/modules/aaa 
-I/home/jfclere/httpd-trunk/modules/cache 
-I/home/jfclere/httpd-trunk/modules/core 
-I/home/jfclere/httpd-trunk/modules/database 
-I/home/jfclere/httpd-trunk/modules/filters 
-I/home/jfclere/httpd-trunk/modules/ldap 
-I/home/jfclere/httpd-trunk/modules/loggers 
-I/home/jfclere/httpd-trunk/modules/lua 
-I/home/jfclere/httpd-trunk/modules/proxy 
-I/home/jfclere/httpd-trunk/modules/http2 
-I/home/jfclere/httpd-trunk/modules/session 
-I/home/jfclere/httpd-trunk/modules/ssl 
-I/home/jfclere/httpd-trunk/modules/test 
-I/home/jfclere/httpd-trunk/server 
-I/home/jfclere/httpd-trunk/modules/md 
-I/home/jfclere/httpd-trunk/modules/arch/unix 
-I/home/jfclere/httpd-trunk/modules/dav/main 
-I/home/jfclere/httpd-trunk/modules/generators 
-I/home/jfclere/httpd-trunk/modules/mappers  -prefer-non-pic -static -c 
htcacheclean.c -o htcacheclean.lo

In file included from htcacheclean.c:36:
htcacheclean.c: In function ‘process_dir’:
/home/jfclere/APR-1.7.x/include/apr-1/apr_ring.h:183:37: error: array 
subscript ‘struct _direntry[0]’ is partly outside array bounds of 
‘struct [1]’ [-Werror=array-bounds]

   183 | #define APR_RING_PREV(ep, link) (ep)->link.prev
   | ^~
/home/jfclere/APR-1.7.x/include/apr-1/apr_ring.h:230:38: note: in 
expansion of macro ‘APR_RING_PREV’
   230 | APR_RING_PREV((ep1), link) = APR_RING_PREV((lep), 
link);    \

   |
+++

Before looking more closely to the problem I have a question, trunk 
should be building with apr 1.7.x and apr-util 1.6.x correct?


I used to build with apr 1.6.x and apr-util 1.6.x but something looks 
broken now.




Or is that a regression in gcc on fedora34? :-(

--
Cheers

Jean-Frederic

htcacheclean.c error when compiling with apr-1.6.x and apr-1.7.x

[jean-frederic clere]

Hi,

I have the following:
+++
/home/jfclere/APR-1.7.x/build-1/libtool --silent --mode=compile gcc  -g 
-O2 -pthread -std=c89 -Werror -Wall -Wstrict-prototypes 
-Wmissing-prototypes -Wmissing-declarations 
-Wdeclaration-after-statement -Wpointer-arith -Wformat -Wformat-security 
-Wunused -DLINUX -D_REENTRANT -D_GNU_SOURCE -DAP_DEBUG-I. 
-I/home/jfclere/httpd-trunk/os/unix -I/home/jfclere/httpd-trunk/include 
-I/home/jfclere/APR-1.7.x/include/apr-1 
-I/home/jfclere/APU-1.6.x/include/apr-1 
-I/home/jfclere/httpd-trunk/modules/aaa 
-I/home/jfclere/httpd-trunk/modules/cache 
-I/home/jfclere/httpd-trunk/modules/core 
-I/home/jfclere/httpd-trunk/modules/database 
-I/home/jfclere/httpd-trunk/modules/filters 
-I/home/jfclere/httpd-trunk/modules/ldap 
-I/home/jfclere/httpd-trunk/modules/loggers 
-I/home/jfclere/httpd-trunk/modules/lua 
-I/home/jfclere/httpd-trunk/modules/proxy 
-I/home/jfclere/httpd-trunk/modules/http2 
-I/home/jfclere/httpd-trunk/modules/session 
-I/home/jfclere/httpd-trunk/modules/ssl 
-I/home/jfclere/httpd-trunk/modules/test 
-I/home/jfclere/httpd-trunk/server 
-I/home/jfclere/httpd-trunk/modules/md 
-I/home/jfclere/httpd-trunk/modules/arch/unix 
-I/home/jfclere/httpd-trunk/modules/dav/main 
-I/home/jfclere/httpd-trunk/modules/generators 
-I/home/jfclere/httpd-trunk/modules/mappers  -prefer-non-pic -static -c 
htcacheclean.c -o htcacheclean.lo

In file included from htcacheclean.c:36:
htcacheclean.c: In function ‘process_dir’:
/home/jfclere/APR-1.7.x/include/apr-1/apr_ring.h:183:37: error: array 
subscript ‘struct _direntry[0]’ is partly outside array bounds of 
‘struct [1]’ [-Werror=array-bounds]

  183 | #define APR_RING_PREV(ep, link) (ep)->link.prev
  | ^~
/home/jfclere/APR-1.7.x/include/apr-1/apr_ring.h:230:38: note: in 
expansion of macro ‘APR_RING_PREV’
  230 | APR_RING_PREV((ep1), link) = APR_RING_PREV((lep), 
link);\

  |
+++

Before looking more closely to the problem I have a question, trunk 
should be building with apr 1.7.x and apr-util 1.6.x correct?


I used to build with apr 1.6.x and apr-util 1.6.x but something looks 
broken now.


--
Cheers

Jean-Frederic

Re: svn commit: r1887415 - in /httpd/httpd/trunk/modules/proxy: mod_proxy.h mod_proxy_ajp.c mod_proxy_balancer.c mod_proxy_hcheck.c

[jean-frederic clere]

On 10/03/2021 12:24, Ruediger Pluem wrote:



On 3/10/21 11:36 AM, jfcl...@apache.org wrote:

Author: jfclere
Date: Wed Mar 10 10:36:46 2021
New Revision: 1887415

URL: http://svn.apache.org/viewvc?rev=1887415=rev
Log:
Add CPING to health check logic.

Modified:
 httpd/httpd/trunk/modules/proxy/mod_proxy.h
 httpd/httpd/trunk/modules/proxy/mod_proxy_ajp.c
 httpd/httpd/trunk/modules/proxy/mod_proxy_balancer.c
 httpd/httpd/trunk/modules/proxy/mod_proxy_hcheck.c




Modified: httpd/httpd/trunk/modules/proxy/mod_proxy_hcheck.c
URL: 
http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/proxy/mod_proxy_hcheck.c?rev=1887415=1887414=1887415=diff
==
--- httpd/httpd/trunk/modules/proxy/mod_proxy_hcheck.c (original)
+++ httpd/httpd/trunk/modules/proxy/mod_proxy_hcheck.c Wed Mar 10 10:36:46 2021



@@ -613,6 +615,39 @@ static int hc_get_backend(const char *pr
  return hc_determine_connection(ctx, hc, &(*backend)->addr, ptemp);
  }
  
+static apr_status_t hc_check_cping(baton_t *baton)

+{
+int status;
+sctx_t *ctx = baton->ctx;
+proxy_worker *hc = baton->hc;
+proxy_conn_rec *backend = NULL;
+apr_pool_t *ptemp = baton->ptemp;
+request_rec *r;
+apr_interval_time_t timeout;
+
+if (!ajp_handle_cping_cpong) {
+return APR_ENOTIMPL;
+}
+
+ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, baton->ctx->s, "HCCPING 
starting");
+if ((status = hc_get_backend("HCCPING", , hc, ctx, baton->ptemp)) 
!= OK) {
+return backend_cleanup("HCCPING", backend, ctx->s, status);
+}
+if ((status = ap_proxy_connect_backend("HCCPING", backend, hc, ctx->s)) != 
OK) {
+return backend_cleanup("HCCPING", backend, ctx->s, status);
+}
+r = create_request_rec(ptemp, ctx->s, baton->balancer, "CPING");
+if ((status = ap_proxy_connection_create_ex("HCCPING", backend, r)) != OK) 
{
+return backend_cleanup("HCCPING", backend, ctx->s, status);
+}
+set_request_connection(r, backend->connection);
+
+timeout = apr_time_from_sec(10); /* 10 seconds */


I don't like hardcoded timeouts. How about hc->s->ping_timeout instead?
This would require to copy the setting from the worker if present in 
hc_get_hcworker where we should copy the timeout field as
well from my point of view. We could make a cascaded choice here then:

hc->s->ping_timeout, hc->s->conn_timeout, hc->s->timeout, 
apr_socket_timeout_get(backend->sock)


Oops I will fix that ASAP thanks, I committed too early :-(




+status = ajp_handle_cping_cpong(backend->sock, r, timeout);
+ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, baton->ctx->s, "HCCPING done %d", 
status);
+return backend_cleanup("HCCPING", backend, ctx->s, status);
+}
+
  static apr_status_t hc_check_tcp(baton_t *baton)
  {
  int status;


Regards

Rüdiger




--
Cheers

Jean-Frederic

Re: svn commit: r1887415 - in /httpd/httpd/trunk/modules/proxy: mod_proxy.h mod_proxy_ajp.c mod_proxy_balancer.c mod_proxy_hcheck.c

[jean-frederic clere]

On 10/03/2021 11:36, jfcl...@apache.org wrote:

Modified: httpd/httpd/trunk/modules/proxy/mod_proxy_balancer.c
URL:http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/proxy/mod_proxy_balancer.c?rev=1887415=1887414=1887415=diff
==
--- httpd/httpd/trunk/modules/proxy/mod_proxy_balancer.c (original)
+++ httpd/httpd/trunk/modules/proxy/mod_proxy_balancer.c Wed Mar 10 10:36:46 
2021
@@ -1087,6 +1087,8 @@ static void push2table(const char *input
  }
  ap_unescape_url(key);
  ap_unescape_url(val);
+/* hcuri, worker name, balancer name, at least  are escaped when 
building the form, so twice */
+ap_unescape_url(val);
  if (allowed == NULL) { /* allow all */
  apr_table_set(params, key, val);


I noted the problem with worker URL: ajp://[0:0:0:0:0:0:0:1]:8081

In fact the worker encoded in the form to:


So it get encoded twice, as well as hcuri and balancer name.
Does it make more sense to remove the encoding while building the form?


--
Cheers

Jean-Frederic

hcmethod_t

[jean-frederic clere]

Hi,

While looking to mod_proxy_hcheck.c, only TCP,  OPTIONS, HEAD and GET 
are supported and documented (so we are good!).


In mod_proxy.c we have additionally:
{CPING, "CPING", 0},
{PROVIDER, "PROVIDER", 0},
{EOT, NULL, 1}
The CPING is the probably the AJP CPING, but what are the 2 others? What 
is planed to have there? ;-)


--
Cheers

Jean-Frederic

Re: svn commit: r1887176 - /httpd/httpd/trunk/modules/proxy/mod_proxy_balancer.c

[jean-frederic clere]

On 08/03/2021 08:38, Ruediger Pluem wrote:



On 3/4/21 3:00 PM, jfcl...@apache.org wrote:

Author: jfclere
Date: Thu Mar  4 14:00:45 2021
New Revision: 1887176

URL: http://svn.apache.org/viewvc?rev=1887176=rev
Log:
Add balancer_manage() to allow external module to fill workers for balancers.

Modified:
 httpd/httpd/trunk/modules/proxy/mod_proxy_balancer.c

Modified: httpd/httpd/trunk/modules/proxy/mod_proxy_balancer.c
URL: 
http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/proxy/mod_proxy_balancer.c?rev=1887176=1887175=1887176=diff
==
--- httpd/httpd/trunk/modules/proxy/mod_proxy_balancer.c (original)
+++ httpd/httpd/trunk/modules/proxy/mod_proxy_balancer.c Thu Mar  4 14:00:45 
2021
@@ -1376,6 +1376,42 @@ static int balancer_process_balancer_wor
  }
  
  /*

+ * Process a request for balancer or worker management from another module
+ */
+static int balancer_manage(request_rec *r, apr_table_t *params)
+{
+void *sconf;
+proxy_server_conf *conf;
+proxy_balancer *bsel = NULL;
+proxy_worker *wsel = NULL;
+const char *name;
+sconf = r->server->module_config;
+conf = (proxy_server_conf *) ap_get_module_config(sconf, _module);
+
+/* Process the parameters */
+if ((name = apr_table_get(params, "b"))) {
+ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "balancer_manage "
+  "balancer: %s", name);
+bsel = ap_proxy_get_balancer(r->pool, conf,
+apr_pstrcat(r->pool, BALANCER_PREFIX, name, NULL), 0);
+}
+
+if ((name = apr_table_get(params, "w"))) {
+ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "balancer_manage "
+  "worker: %s", name);
+wsel = ap_proxy_get_worker(r->pool, bsel, conf, name);
+}
+if (bsel) {
+ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "balancer_manage "
+  "balancer: %s",  bsel->s->name);
+return(balancer_process_balancer_worker(r, conf, bsel, wsel, params));
+}
+ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "balancer_manage failed: "
+  "No balancer!");
+return HTTP_BAD_REQUEST;
+}
+
+/*
   * builds the page and links to configure via HTLM or XML.
   */
  static void balancer_display_page(request_rec *r, proxy_server_conf *conf,
@@ -2024,6 +2060,7 @@ static void ap_proxy_balancer_register_h
  static const char *const aszPred[] = { "mpm_winnt.c", 
"mod_slotmem_shm.c", NULL};
  static const char *const aszPred2[] = { "mod_proxy.c", NULL};
   /* manager handler */
+ap_register_provider(p, "balancer", "manager", "0", _manage);


Wouldn't it be better to create a structure in mod_proxy.h that currently has 
only one field namely a function pointer
of int balancer_manage (request_rec *, apr_table_t *). This would declare this 
as a public API and would make
it possible to extend it later if needed.
If the API is planned to be limited to just this single function wouldn't an 
optional function serve us better here?


My plans are to extent balancer_manage() by supporting more parameters, 
but the approach to create a structure of function pointers is probably 
more flexible, I will prepare a new proposal this week.




Regards

Rüdiger




--
Cheers

Jean-Frederic

Re: Broken: apache/httpd#1471 (trunk - 89d5433)

[jean-frederic clere]

Oops


# Noop config to trigger merging bug.
Require all granted


I am investigating :-(


--
Cheers

Jean-Frederic

Re: Allowing balancer without ProxyPass

[jean-frederic clere]

On 02/03/2021 16:07, Yann Ylavic wrote:

On Tue, Mar 2, 2021 at 3:44 PM jean-frederic clere  wrote:


On 02/03/2021 12:35, Yann Ylavic wrote:

On Tue, Mar 2, 2021 at 11:05 AM jean-frederic clere  wrote:


Has anyone something against making the above creating a balancer that
can be used later by the balancer-manager handler to create the
corresponding workers and a customized load_balancer provider to replace
the ProxyPass logic?


+1

That's something like this right?


Yes ;-)


OK, but note that it also affects the proxy workers (not only
balancers), such that it may define workers that weren't previously
and thus enabling keepalive and things like this for them.


Yes I already had to add a WorkerGrowth directive in my prototype to be 
able to create the workers via the logic of the balancer-handler.




So at backport time (if ever), this is possibly something to think about ;)


Yes I will try to minimize changes ;-)



Cheers;
Yann.




--
Cheers

Jean-Frederic

Re: Allowing balancer without ProxyPass

[jean-frederic clere]

On 02/03/2021 12:35, Yann Ylavic wrote:

On Tue, Mar 2, 2021 at 11:05 AM jean-frederic clere  wrote:


Has anyone something against making the above creating a balancer that
can be used later by the balancer-manager handler to create the
corresponding workers and a customized load_balancer provider to replace
the ProxyPass logic?


+1

That's something like this right?


Yes ;-)



Index: modules/proxy/mod_proxy.c
===
--- modules/proxy/mod_proxy.c(revision 1887057)
+++ modules/proxy/mod_proxy.c(working copy)
@@ -2649,7 +2649,7 @@ static const char *proxysection(cmd_parms *cmd, vo

  ap_add_per_proxy_conf(cmd->server, new_dir_conf);

-if (*arg != '\0') {
+{
  if (thiscmd->cmd_data)
  return "Multiple  arguments not (yet) supported.";
  if (conf->p_is_fnmatch)
--

Regards;
Yann.




--
Cheers

Jean-Frederic

Allowing balancer without ProxyPass

[jean-frederic clere]

Hi,

The following in httpd.conf:
+++


+++
does nothing in a configuration, not even a warning ;-)

Has anyone something against making the above creating a balancer that 
can be used later by the balancer-manager handler to create the 
corresponding workers and a customized load_balancer provider to replace 
the ProxyPass logic?


--
Cheers

Jean-Frederic

BalancerGrowth

[jean-frederic clere]

Hi,

BalancerGrowth directive in fact does nothing...

Looking to balancer_process_balancer_worker() it looks easy to add the 
missing code to have a form to create it. There are missing pieces, a 
nonce at the conf level (does it make sense to add it?) and a gmutex for 
each of the "possible" balancer (to create in balancer_post_config() and 
init balancer_child_init()) does it worth trying it?


--
Cheers

Jean-Frederic

Re: warning in error_log when using websocket tunnel

[jean-frederic clere]

On 12/02/2021 18:09, Yann Ylavic wrote:

On Fri, Feb 12, 2021 at 5:59 PM jean-frederic clere  wrote:


On 12/02/2021 17:34, Ruediger Pluem wrote:


On 2/12/21 5:17 PM, jean-frederic clere wrote:

[]

  do {
  rv = apr_pollset_poll(pollset, timeout, , );
  } while (APR_STATUS_IS_EINTR(rv));
+++

I don't remember why we have the while here...


We ignore EINTR anywhere in the core/network modules (even in the APR).
But what could we do about it, abort everything while it may be a graceful stop?
I think we rely on ungraceful stop to ungracefully stop us..


Is there a way to test why the get the signal in ap_proxy_tunnel_run() and 
react on shutdown command to prevent the warning message?


Maybe we could run ap_mpm_query(AP_MPMQ_MPM_STATE, )
and drop out if result == AP_MPMQ_STOPPING


Yes that works ;-)


But typically the shutdown is graceful in the sense that the request should be 
finished. Maybe a bad idea with long lasting tunnels.


Correct...


I'd rather we let ungraceful stop do its job, and maybe lower the
timeout on AP_MPMQ_STOPPING when (e.g.) ProxyAsyncGracefulTimeout is
configured?

By the way Jean-Frédéric, does this AH00045 happen on graceful or
ungraceful stop/restart, or both?


Only on ungraceful, with the graceful a timeout occurs (we might check 
for timeout to prevent httpd to wait for ever but it seems there is 
always a timeout...)





Regards;
Yann.




--
Cheers

Jean-Frederic

Re: warning in error_log when using websocket tunnel

[jean-frederic clere]

On 12/02/2021 17:34, Ruediger Pluem wrote:



On 2/12/21 5:17 PM, jean-frederic clere wrote:

Hi,

I have the warnings in error_log when a web socket is opened at the shutdown 
time:

+++
[Fri Feb 12 16:10:39.243444 2021] [core:warn] [pid 2879580:tid 140162655000576] 
AH00045: child process 2879590 still did not exit,
sending a SIGTERM
[Fri Feb 12 16:10:41.245444 2021] [core:warn] [pid 2879580:tid 140162655000576] 
AH00045: child process 2879590 still did not exit,
sending a SIGTERM
+++

ap_proxy_tunnel_run()

there is:
+++
     do {
     const apr_pollfd_t *results;
     apr_int32_t nresults, i;

     ap_log_rerror(APLOG_MARK, APLOG_TRACE8, 0, r,
   "proxy: %s: polling (client=%hx, origin=%hx)",
   scheme, client->pfd->reqevents, origin->pfd->reqevents);
     do {
     rv = apr_pollset_poll(pollset, timeout, , );
     } while (APR_STATUS_IS_EINTR(rv));
+++

I don't remember why we have the while here...
Is there a way to test why the get the signal in ap_proxy_tunnel_run() and 
react on shutdown command to prevent the warning message?


Maybe we could run ap_mpm_query(AP_MPMQ_MPM_STATE, )
and drop out if result == AP_MPMQ_STOPPING


Yes that works ;-)


But typically the shutdown is graceful in the sense that the request should be 
finished. Maybe a bad idea with long lasting tunnels.


Correct...



Regards

Rüdiger




--
Cheers

Jean-Frederic

warning in error_log when using websocket tunnel

[jean-frederic clere]

Hi,

I have the warnings in error_log when a web socket is opened at the 
shutdown time:


+++
[Fri Feb 12 16:10:39.243444 2021] [core:warn] [pid 2879580:tid 
140162655000576] AH00045: child process 2879590 still did not exit, 
sending a SIGTERM
[Fri Feb 12 16:10:41.245444 2021] [core:warn] [pid 2879580:tid 
140162655000576] AH00045: child process 2879590 still did not exit, 
sending a SIGTERM

+++

ap_proxy_tunnel_run()

there is:
+++
do {
const apr_pollfd_t *results;
apr_int32_t nresults, i;

ap_log_rerror(APLOG_MARK, APLOG_TRACE8, 0, r,
  "proxy: %s: polling (client=%hx, origin=%hx)",
  scheme, client->pfd->reqevents, 
origin->pfd->reqevents);

do {
rv = apr_pollset_poll(pollset, timeout, , );
} while (APR_STATUS_IS_EINTR(rv));
+++

I don't remember why we have the while here...
Is there a way to test why the get the signal in ap_proxy_tunnel_run() 
and react on shutdown command to prevent the warning message?


--
Cheers

Jean-Frederic

Re: Process to remove spam in BZ

[jean-frederic clere]

On 19/01/2021 12:11, Yann Ylavic wrote:

Hi Jean-Frédéric,



Is there a process to remove spam in BZ, for example
https://bz.apache.org/bugzilla/show_bug.cgi?id=60757 has spam added to it...


The process is to send an email to infra to signal the spam (pointing
to the whole bz or the #comment only).
They will act upon by removing the spam and banning the user.

Cheers;
Yann.



OK, I mailed infra, thanks

--
Cheers

Jean-Frederic

Process to remove spam in BZ

[jean-frederic clere]

Hi,

Is there a process to remove spam in BZ, for example 
https://bz.apache.org/bugzilla/show_bug.cgi?id=60757 has spam added to it...


--
Cheers

Jean-Frederic

Re: [VOTE] Release httpd-2.4.46

[jean-frederic clere]

On 01/08/2020 16:13, Daniel Ruggeri wrote:

[X] +1: It's not just good, it's good enough!


Passed on fedroa32 x86_64.

--
Cheers

Jean-Frederic

Re: [VOTE] Release httpd-2.4.45

[jean-frederic clere]

On 29/07/2020 17:26, Daniel Ruggeri wrote:

[X] +1: It's not just good, it's good enough!


Tested on fedora32 x86_64.

--
Cheers

Jean-Frederic

Re: hardening mod_write and mod_proxy like mod_jk with servletnormalize

[jean-frederic clere]

On 21/07/2020 06:51, William A Rowe Jr wrote:



On Mon, Jul 20, 2020, 10:24 Ruediger Pluem > wrote:




On 7/20/20 4:45 PM, Yann Ylavic wrote:
 > On Thu, Jul 16, 2020 at 10:31 PM Eric Covener mailto:cove...@gmail.com>> wrote:
 >>
 >> On Thu, Jul 16, 2020 at 3:31 PM Ruediger Pluem
mailto:rpl...@apache.org>> wrote:
 >>>
 >>>
 >>>
 >>> On 6/24/20 1:27 PM, Eric Covener wrote:
 >
 > ProxyMappingDecoded is not needed anymore (and was removed).
 > The mapping= tells mod_proxy at which stage ([pre_]translate) it
 > should map the request path.
  +1
 
 >>>
 >>> Getting back to an old topic. Shouldn't we have a directive
similar to
 >>> AllowEncodedSlashes that allows us to block URI's that contain
 >>> URL fragments like /.; and /..; in order to avoid that someone
plays
 >>> silly games that bypass Location settings and RewriteRules
 >>> that might be used with a servlet engine in the backend? Happy
 >>> to have that set to a default that allows /.; and /..;.
 >>
 >> +, but I'd want the safer default.
 >
 > Is this something we should care about outside the proxy
mapping=servlet case?
 > In the other cases, "/.;" and "/..;" are nothing but plain text (they
 > won't be treated as "/." and "/.." on the filesystem AFAICT), so we
 > could let them 404 normally.

I think for the default handler this is no problem. As you state
such URL's likely produce just a 404 and we are done.

 > In the mapping=servlet case, servlet normalization is applied to
 > r->[parsed_]uri (no "/.;" or "/..;" anymore), so Location/..
matchings
 > use the same uri-path than the backend.

But only if you have an appropriate ProxyPass in place. With
RewriteRules this does not work.
Hence I think we need an additional mechanism to handle this in case
of no ProxyPass directives.
I still fail to see a real use case for /..; and /.; segments. Hence
I think denying them should
be possible with a simple option without the need for a ProxyPass
directive or an additional
RewriteRule. This would also keep path parameters in other segments
as they are.
As said I am even happy if the default of this directive would keep
the current behavior.

 > This sounds a bit like we want to reject "/.;" or "/..;" for the
 > servlet case but still accept "/." and "/.." unconditionally for the
 > non-servlet case. So possibly we want a general "AllowPathTraversal"
 > directive (off by default) for the core to allow/reject "." and ".."
 > AND proxy mapping=servlet to extend it to "/.;" or "/.;" (and
probably
 > "/;" too since it's the same as "/.;" when MergeSlashes applies)?

I don't want to allow/deny '.' and '..'. Without path parameters I
just want to remove ('.') / shrink them ('..') without going
past root like we do today.


 From the beginning of this dialog, that isn't the function of an HTTP/1 
proxy. We have no business in that PER THE SPECS.


I don't understand why the Tomcat project and other servlet providers, 
after given evidence they broke the spec, and downgrade of their 
reservations of the ;params logic out of the URI spec, keep insisting 
the behavior is necessary for the HTTP transport providers to consider.


I don't understand why, Ruediger, some keep defending the .; or ..; as a 
normative acceptable path element, and refuse to consider the idea that 
every such occurance is malicious, without evidence of a single legit 
application of that formation.


If you don't want to let them slide, we *could* deny \.;.* and \.\.;.* 
by default. Or we already *can* when ajp users would like to add rewrite 
rules.


mod_proxy_http and mod_proxy_ajp behave the same way, mod_jk will return 
DECLINED and end normally in 404.


; in the URI is for a parameter like ;foo=bar I was first just 
suggesting to return 400 in possibly "unsafe" ..;/ URI using a parameter 
to prevent "regressions", but I think we ended looking to something too 
complex :-(









--
Cheers

Jean-Frederic

Re: hardening mod_write and mod_proxy like mod_jk with servletnormalize

[jean-frederic clere]

On 22/06/2020 16:12, Yann Ylavic wrote:

On Mon, Jun 22, 2020 at 2:44 PM Eric Covener  wrote:



You need to set:
 ProxyMappingDecoded off
in your vhost (or directory) for servlet mapping to be active, with a


Does it work in directory context? pre_trans is before location_walk.


Argh no, didn't think of it :/

For this we have to add a third location walk in
ap_process_request_internal(), something like the attached.
To minimize impact, I save the original r->uri and don't re-walk if it
didn't change, that should address most common cases IMHO.

Would that work?



Do we want:
curl -v --path-as-is "http://localhost:8000/docs/..;food=bar/test/index.jsp;
ProxyMappingDecoded Off

  ProxyPass  ajp://localhost:8009/docs secret=%A1b2!@ mapping=servlet


  ProxyPass  ajp://localhost:8009/test secret=%A1b2!@ mapping=servlet

To map to tomcat?

like:
ProxyMappingDecoded Off
ProxyPass  /docs ajp://localhost:8009/docs secret=%A1b2!@ mapping=servlet
ProxyPass  /test ajp://localhost:8009/test secret=%A1b2!@ mapping=servlet


--
Cheers

Jean-Frederic

Re: hardening mod_write and mod_proxy like mod_jk with servletnormalize

[jean-frederic clere]

On 22/06/2020 13:02, Yann Ylavic wrote:

On Mon, Jun 22, 2020 at 12:33 PM jean-frederic clere  wrote:


On 22/06/2020 12:23, Yann Ylavic wrote:

On Mon, Jun 22, 2020 at 12:13 PM jean-frederic clere  wrote:




But there is still something I want to prevent:
ProxyPass  /docs ajp://localhost:8009/docs
and url like:
curl -v --path-as-is "http://localhost:8000/docs/..;food=bar/test/index.jsp;
How do we do that? Do we want a 400 for that? (my proposal do that :-)).


Why would we 400?
Either there is a mapping for /test[/] and we'll be OK, or there is
none we'll be DECLINED.


For the moment I am getting a 200 and the test/index.jsp from tomcat...


Hmm, do you mean that mod_proxy (alias_match_servlet) forwards
http://localhost:8000/test/index.php in this case, even if there is no
mapping for "/test" ??


Yes :D


I can't reproduce, did you forget "ProxyMappingDecoded off" by any chance?


Oops: retesting:
curl -v --path-as-is "http://localhost:8000/docs/..;food=bar/test/index.jsp;


ProxyMappingDecoded On
ProxyPass  /docs ajp://localhost:8009/docs secret=%A1b2!@
Mapped to tomcat

ProxyMappingDecoded On
ProxyPass  /docs ajp://localhost:8009/docs secret=%A1b2!@ mapping=servlet
Mapped to tomcat

ProxyMappingDecoded Off
ProxyPass  /docs ajp://localhost:8009/docs secret=%A1b2!@ mapping=servlet
404 httpd

ProxyMappingDecoded Off
ProxyPass  /docs ajp://localhost:8009/docs secret=%A1b2!@
Mapped to tomcat




Well tomcat maps "http://localhost:8080/docs/..;food=bar/test/index.jsp;
to http://localhost:8080/test/index.jsp which looks bad if you only map
ProxyPass  /docs ajp://localhost:8009/docs


Sure, but mod_proxy shouldn't forward
"/docs/..;food=bar/test/index.jsp" if there is no mapping for "/test",
but only when servlet mapping is activated. Otherwise the "normal"
mapping applies, which with "/docs" as alias does indeed forward the
above..

Remember that currently with my patch, servlet mapping only applies in
pre_translate_name hook, before URI-path decoding, because we don't
want that "%3B" be decoded first and then interpreted as ';' by
servlet mapping (this is not a sub-delims when encoded), thus
"ProxyMappingDecoded off" is required.


OK. Using:
curl -v --path-as-is "http://localhost:8000/docs/..;food=bar/test/index.jsp;
ProxyMappingDecoded Off
ProxyPass  /docs ajp://localhost:8009/docs secret=%A1b2!@ mapping=servlet
ProxyPass  /test ajp://localhost:8009/test secret=%A1b2!@ mapping=servlet
Mapped to tomcat and the log:
+++
[Mon Jun 22 14:07:29.840763 2020] [proxy:trace2] [pid 36180:tid 
140211478607616] proxy_util.c(2220): [client ::1:54188] ajp: found 
worker ajp://localhost/test for ajp://localhost/test/index.jsp

+++
Correct it uses ajp://localhost/test
Looks good.



Now that the patches are committed to svn (I just did),


Cool back port to 2.4.x is that easy correct?


I was about to
open another thread about this or more generally how we should handle
decoding w.r.t. ProxyMappingDecoded, because as it stands
ProxyMappingDecoded will affect all location / directory / file /
etc.. walks and matchings, since r->uri will remain non-decoded for
the whole request handling.
That may be what we want, but a mod_proxy directive for this can look
a bit surprising since it affects the core handling too.


Yes the name ProxyMappingDecoded now looks weird ;-)




Regards;
Yann.




--
Cheers

Jean-Frederic

Re: hardening mod_write and mod_proxy like mod_jk with servletnormalize

[jean-frederic clere]

On 22/06/2020 12:23, Yann Ylavic wrote:

On Mon, Jun 22, 2020 at 12:13 PM jean-frederic clere  wrote:




But there is still something I want to prevent:
ProxyPass  /docs ajp://localhost:8009/docs
and url like:
curl -v --path-as-is "http://localhost:8000/docs/..;food=bar/test/index.jsp;
How do we do that? Do we want a 400 for that? (my proposal do that :-)).


Why would we 400?
Either there is a mapping for /test[/] and we'll be OK, or there is
none we'll be DECLINED.


For the moment I am getting a 200 and the test/index.jsp from tomcat...


Hmm, do you mean that mod_proxy (alias_match_servlet) forwards
http://localhost:8000/test/index.php in this case, even if there is no
mapping for "/test" ??


Yes :D
Well tomcat maps "http://localhost:8080/docs/..;food=bar/test/index.jsp; 
to http://localhost:8080/test/index.jsp which looks bad if you only map

ProxyPass  /docs ajp://localhost:8009/docs



In my testing it's not mapped, so it ends up being handled by the
default_handler() which returns 404.





The 400 will come only if no module handles the URI, and if the
default_handler() finds no "docs/..;food=bar/test/index.jsp" in the
path (where "..;foo=bar" is not considered a directory traversal in
this case).


ProxyPass  /docs ajp://localhost:8009/docs
being mapped as /test/index.jsp (by tomcat) when you
query"http://localhost:8000/docs/..;food=bar/test/index.jsp; looks wrong
and should avoidable.



On my system, this runs smoothly:
$ mkdir -p 'docs/..;foo=bar/test'
$ touch 'docs/..;foo=bar/test/index.php'
$ ls 'docs/..;foo=bar/test/index.php'
'docs/..;foo=bar/test/index.php'



Correct the hardening is to prevent "tomcat customers mistake" that gets
unexpected contexts exposed. I am not able to get it working with you
proposal.


I don't think we should refuse anything in mod_proxy, either forward
or let it be handled elsewhere.


I disagree and think that some should be rejected ;-) but of course I am 
using httpd to protect "a" back-end. That behaviour should NOT be the 
default behavior (and yes mod_rewrite or mod_security are also there to 
help).








Regards;
Yann.



--
Cheers

Jean-Frederic

Re: hardening mod_write and mod_proxy like mod_jk with servletnormalize

[jean-frederic clere]

On 22/06/2020 11:50, Yann Ylavic wrote:

On Mon, Jun 22, 2020 at 11:20 AM jean-frederic clere  wrote:


On 19/06/2020 12:02, Yann Ylavic wrote:

On Thu, Jun 18, 2020 at 6:37 PM jean-frederic clere  wrote:


ProxyMappingDecoded Off
ProxyPass  /test ajp://localhost:8009/test secret=%A1b2!@  mapping=servlet

[]

what is going wrong with
"http://localhost:8000/docs/..;food=bar/test;food=bar/index.jsp;
same for "curl -v --path-as-is
"http://localhost:8000/test;food=bar/index.jsp;


Good catch, should be fixed with
https://github.com/apache/httpd/compare/491a115344e37df21996f323eefd16136d278360..d9f12223ba45e520dd018baf7be084809d531d81
Latest version of the PR should be OK.

Now it results in: ajp://localhost:8009/test;food=bar/index.jsp
We keep the path parameters since the alias (/test) does not end with '/'.


Cool fixed.


Thanks for testing.







ProxyMappingDecoded On
ProxyPass  /test ajp://localhost:8009/test secret=%A1b2!@
mapping=servlet 404 httpd.

ProxyMappingDecoded On
ProxyPass  /test ajp://localhost:8009/test secret=%A1b2!@ 404 httpd.


Hmm, I can't reproduce these ones, they do not take the
alias_match_servlet() path and should not be affected by my changes.
Can you still reproduce with the latest version? I made somes pushes
yesterday, perhaps a transient invalid state...


In fact I was screwing it, sorryt:

But there is still something I want to prevent:
ProxyPass  /docs ajp://localhost:8009/docs
and url like:
curl -v --path-as-is "http://localhost:8000/docs/..;food=bar/test/index.jsp;
How do we do that? Do we want a 400 for that? (my proposal do that :-)).


Why would we 400?
Either there is a mapping for /test[/] and we'll be OK, or there is
none we'll be DECLINED.


For the moment I am getting a 200 and the test/index.jsp from tomcat...



The 400 will come only if no module handles the URI, and if the
default_handler() finds no "docs/..;food=bar/test/index.jsp" in the
path (where "..;foo=bar" is not considered a directory traversal in
this case).


ProxyPass  /docs ajp://localhost:8009/docs
being mapped as /test/index.jsp (by tomcat) when you 
query"http://localhost:8000/docs/..;food=bar/test/index.jsp; looks wrong 
and should avoidable.




On my system, this runs smoothly:
$ mkdir -p 'docs/..;foo=bar/test'
$ touch 'docs/..;foo=bar/test/index.php'
$ ls 'docs/..;foo=bar/test/index.php'
'docs/..;foo=bar/test/index.php'



Correct the hardening is to prevent "tomcat customers mistake" that gets 
unexpected contexts exposed. I am not able to get it working with you 
proposal.




Regards;
Yann.




--
Cheers

Jean-Frederic

Re: hardening mod_write and mod_proxy like mod_jk with servletnormalize

[jean-frederic clere]

On 19/06/2020 12:02, Yann Ylavic wrote:

On Thu, Jun 18, 2020 at 6:37 PM jean-frederic clere  wrote:


ProxyMappingDecoded Off
ProxyPass  /test ajp://localhost:8009/test secret=%A1b2!@  mapping=servlet

[]

what is going wrong with
"http://localhost:8000/docs/..;food=bar/test;food=bar/index.jsp;
same for "curl -v --path-as-is
"http://localhost:8000/test;food=bar/index.jsp;


Good catch, should be fixed with
https://github.com/apache/httpd/compare/491a115344e37df21996f323eefd16136d278360..d9f12223ba45e520dd018baf7be084809d531d81
Latest version of the PR should be OK.

Now it results in: ajp://localhost:8009/test;food=bar/index.jsp
We keep the path parameters since the alias (/test) does not end with '/'.


Cool fixed.





ProxyMappingDecoded On
ProxyPass  /test ajp://localhost:8009/test secret=%A1b2!@
mapping=servlet 404 httpd.

ProxyMappingDecoded On
ProxyPass  /test ajp://localhost:8009/test secret=%A1b2!@ 404 httpd.


Hmm, I can't reproduce these ones, they do not take the
alias_match_servlet() path and should not be affected by my changes.
Can you still reproduce with the latest version? I made somes pushes
yesterday, perhaps a transient invalid state...


In fact I was screwing it, sorryt:

But there is still something I want to prevent:
ProxyPass  /docs ajp://localhost:8009/docs
and url like:
curl -v --path-as-is "http://localhost:8000/docs/..;food=bar/test/index.jsp;
How do we do that? Do we want a 400 for that? (my proposal do that :-)).




Regards;
Yann.




--
Cheers

Jean-Frederic

Re: hardening mod_write and mod_proxy like mod_jk with servletnormalize

[jean-frederic clere]

On 17/06/2020 13:26, Yann Ylavic wrote:

On Sat, Jun 13, 2020 at 11:18 AM jean-frederic clere  wrote:


On 11/06/2020 13:50, Yann Ylavic wrote:

On Thu, Jun 11, 2020 at 1:22 PM Yann Ylavic  wrote:


On Thu, Jun 11, 2020 at 9:57 AM Yann Ylavic  wrote:


On Thu, Jun 11, 2020 at 9:50 AM Yann Ylavic  wrote:


We need a way to forward non %-decoded URLs upto mod_proxy (reverse)
if we want to normalize a second time..


IOW, this block in ap_process_request_internal():

[snip]

Should go _after_ the following:

[snip]

Or we could introduce a new pre_translate_name hook which would
execute before %-decoding, and be used by mod_proxy when
"ProxyPreTranslation on" is configured, and be a prerequisite for
mapping=servlet.

I find ProxyPreTranslation also useful for the non-servlet case btw.

Something like this attached v2 patch.


Here is a v3 with the relevant pre_translate_name hooks only and
ap_getparents() preserved when the URI does not start with '/' (which
makes the patch read better too).


with this patch, how to I get:
curl -v --path-as-is "http://localhost:8000/docs/..;food=bar/test/index.jsp

Mapped to
ProxyPass  /test ajp://localhost:8009/test secret=%A1b2!@
Or rejected in case I have only:
ProxyPass  /docs ajp://localhost:8009/docs secret=%A1b2!@


Right sorry, it does not work with patch v3, I mainly focused on the
"decode at the right place" part of the issue, which is not your
point..

I just staged a more complete proposal in
https://github.com/apache/httpd/pull/128

For the proxy servlet part, I think that we need a dedicated
alias_match() for servlet mapping (called alias_match_servlet() in the
PR), we can't normalize and match separately or the matched length is
completely off wrt the original URI-path.

Can you please try with the patches there? (the last is not really
necessary, it's just to complete the PR should this be merged).

You need to set:
 ProxyMappingDecoded off
in your vhost (or directory) for servlet mapping to be active, with a
ProxyPass like:
 ProxyPass /good/ http://127.0.0.1:80/good/ mapping=servlet

I tried with paths like
"/bad/..;foo=bar/.;foo=bar//other;foo=bar//..;foo=bar/good;foo1=bar1/;foo2=bar2/.;foo3=bar3///./index.html"
which results in "/good/;foo2=bar2/.;foo3=bar3///./index.html" being
forwarded, still things that shouldn't be seem to be declined.

The code in alias_match_servlet() is not really simple, but neither is
servlet mapping..


OK we are going forward:
ProxyMappingDecoded Off
ProxyPass  /test ajp://localhost:8009/test secret=%A1b2!@
and curl -v --path-as-is 
"http://localhost:8000/docs/..;food=bar/test/index.jsp 404 httpd.


ProxyMappingDecoded Off
ProxyPass  /test ajp://localhost:8009/test secret=%A1b2!@  mapping=servlet
and curl -v --path-as-is 
"http://localhost:8000/docs/..;food=bar/test/index.jsp 200 tc URL: 
http://localhost:8000/test/index.jsp
but curl -v --path-as-is 
"http://localhost:8000/docs/..;food=bar/test;food=bar/index.jsp; 404 httpd
what is going wrong with 
"http://localhost:8000/docs/..;food=bar/test;food=bar/index.jsp;
same for "curl -v --path-as-is 
"http://localhost:8000/test;food=bar/index.jsp;


ProxyMappingDecoded On
ProxyPass  /test ajp://localhost:8009/test secret=%A1b2!@ 
mapping=servlet 404 httpd.


ProxyMappingDecoded On
ProxyPass  /test ajp://localhost:8009/test secret=%A1b2!@ 404 httpd.

Comments?




Regards;
Yann.




--
Cheers

Jean-Frederic

Re: hardening mod_write and mod_proxy like mod_jk with servletnormalize

[jean-frederic clere]

On 11/06/2020 13:50, Yann Ylavic wrote:

On Thu, Jun 11, 2020 at 1:22 PM Yann Ylavic  wrote:


On Thu, Jun 11, 2020 at 9:57 AM Yann Ylavic  wrote:


On Thu, Jun 11, 2020 at 9:50 AM Yann Ylavic  wrote:


We need a way to forward non %-decoded URLs upto mod_proxy (reverse)
if we want to normalize a second time..


IOW, this block in ap_process_request_internal():

[snip]

Should go _after_ the following:

[snip]

Or we could introduce a new pre_translate_name hook which would
execute before %-decoding, and be used by mod_proxy when
"ProxyPreTranslation on" is configured, and be a prerequisite for
mapping=servlet.

I find ProxyPreTranslation also useful for the non-servlet case btw.

Something like this attached v2 patch.


Here is a v3 with the relevant pre_translate_name hooks only and
ap_getparents() preserved when the URI does not start with '/' (which
makes the patch read better too).


with this patch, how to I get:
curl -v --path-as-is "http://localhost:8000/docs/..;food=bar/test/index.jsp

Mapped to
ProxyPass  /test ajp://localhost:8009/test secret=%A1b2!@
Or rejected in case I have only:
ProxyPass  /docs ajp://localhost:8009/docs secret=%A1b2!@






Regards;
Yann.



--
Cheers

Jean-Frederic

Re: hardening mod_write and mod_proxy like mod_jk with servletnormalize

[jean-frederic clere]

On 10/06/2020 11:53, Ruediger Pluem wrote:



On 6/9/20 12:05 PM, jean-frederic clere wrote:

Hi,

Basically it adds servletnormalizecheck to mod_proxy for 
ProxyPass/ProxyPassMatch and mod_rewrite when using P
I have tested the following uses:
#ProxyPass  /docs ajp://localhost:8009/docs secret=%A1b2!@ servletnormalizecheck

#ProxyPassMatch  "^/docs(.*)$" "ajp://localhost:8009/docs$1" secret=%A1b2!@ 
servletnormalizecheck

#RewriteEngine On
#RewriteRule "^/docs(.*)$" "ajp://localhost:8009/docs$1" [P,SNC]
#
#ProxySet connectiontimeout=5 timeout=30 secret=%A1b2!@
#

#
#  ProxyPass  ajp://localhost:8009/docs secret=%A1b2!@ servletnormalizecheck
#

What is not supported is
curl -v --path-as-is 
"http://localhost:8000/docs/..;foo=bar/;foo=bar/test/index.jsp;

that could be remapped to
ProxyPass  /test ajp://localhost:8009/test secret=%A1b2!@ servletnormalizecheck
or a 

Comments?


I understood from Mark that the request you do above with curl should not be 
denied but just mapped to /test.
But rethinking that, it becomes real fun: For mapping we should use the URI 
stripped off path parameters and then having done the
shrinking operation (servlet normalized) but we should use the original URI 
having done the shrinking operation with path
parameters to sent to the backend. That might work for a simple prefix 
matching, but it seems to be very difficult for regular
expression scenarios where you might use complex captures from the matching to 
build the result. But if the matching was done
against the servlet normalized URI the captures might be different, than the 
ones you would have got when doing the same against
not normalized URI. So I am little bit lost here.
What if we just have an option on virtual host base to drop path parameters of 
the following kind

s#/([.]{0,2})(;[^/]*)/#/$1/g

do the usual shrinking operation afterwards and just process them afterwards as 
usual.


I think it makes sense to have it there but separated from the 
servletnormalizecheck because that changes the whole  mapping

So I will add something like MergeSlashes which will map
http://localhost:8000/docs/..;foo=bar/;foo=bar/test/index.jsp
to /test
And arrange the proxy so that /docs/..;foo=bar/;foo=bar/test/index.jsp 
is sent to the back-end.


Should I commit my first proposal (it is easily backportable to 2.4.x) 
and later work on the next one?




Regards

Rüdiger





--
Cheers

Jean-Frederic

hardening mod_write and mod_proxy like mod_jk with servletnormalize

[jean-frederic clere]

Hi,

Basically it adds servletnormalizecheck to mod_proxy for 
ProxyPass/ProxyPassMatch and mod_rewrite when using P

I have tested the following uses:
#ProxyPass  /docs ajp://localhost:8009/docs secret=%A1b2!@ 
servletnormalizecheck


#ProxyPassMatch  "^/docs(.*)$" "ajp://localhost:8009/docs$1" 
secret=%A1b2!@ servletnormalizecheck


#RewriteEngine On
#RewriteRule "^/docs(.*)$" "ajp://localhost:8009/docs$1" [P,SNC]
#
#ProxySet connectiontimeout=5 timeout=30 secret=%A1b2!@
#

#
#  ProxyPass  ajp://localhost:8009/docs secret=%A1b2!@ servletnormalizecheck
#

What is not supported is
curl -v --path-as-is 
"http://localhost:8000/docs/..;foo=bar/;foo=bar/test/index.jsp;


that could be remapped to
ProxyPass  /test ajp://localhost:8009/test secret=%A1b2!@ 
servletnormalizecheck

or a 

Comments?

--
Cheers

Jean-Frederic
Index: build/find_apr.m4
===
--- build/find_apr.m4	(revision 1878566)
+++ build/find_apr.m4	(nonexistent)
@@ -1,202 +0,0 @@
-dnl  -*- autoconf -*-
-dnl Licensed to the Apache Software Foundation (ASF) under one or more
-dnl contributor license agreements.  See the NOTICE file distributed with
-dnl this work for additional information regarding copyright ownership.
-dnl The ASF licenses this file to You under the Apache License, Version 2.0
-dnl (the "License"); you may not use this file except in compliance with
-dnl the License.  You may obtain a copy of the License at
-dnl
-dnl http://www.apache.org/licenses/LICENSE-2.0
-dnl
-dnl Unless required by applicable law or agreed to in writing, software
-dnl distributed under the License is distributed on an "AS IS" BASIS,
-dnl WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-dnl See the License for the specific language governing permissions and
-dnl limitations under the License.
-
-dnl
-dnl find_apr.m4 : locate the APR include files and libraries
-dnl
-dnl This macro file can be used by applications to find and use the APR
-dnl library. It provides a standardized mechanism for using APR. It supports
-dnl embedding APR into the application source, or locating an installed
-dnl copy of APR.
-dnl
-dnl APR_FIND_APR(srcdir, builddir, implicit-install-check, acceptable-majors,
-dnl  detailed-check)
-dnl
-dnl   where srcdir is the location of the bundled APR source directory, or
-dnl   empty if source is not bundled.
-dnl
-dnl   where builddir is the location where the bundled APR will will be built,
-dnl   or empty if the build will occur in the srcdir.
-dnl
-dnl   where implicit-install-check set to 1 indicates if there is no
-dnl   --with-apr option specified, we will look for installed copies.
-dnl
-dnl   where acceptable-majors is a space separated list of acceptable major
-dnl   version numbers. Often only a single major version will be acceptable.
-dnl   If multiple versions are specified, and --with-apr=PREFIX or the
-dnl   implicit installed search are used, then the first (leftmost) version
-dnl   in the list that is found will be used.  Currently defaults to [0 1].
-dnl
-dnl   where detailed-check is an M4 macro which sets the apr_acceptable to
-dnl   either "yes" or "no". The macro will be invoked for each installed
-dnl   copy of APR found, with the apr_config variable set appropriately.
-dnl   Only installed copies of APR which are considered acceptable by
-dnl   this macro will be considered found. If no installed copies are
-dnl   considered acceptable by this macro, apr_found will be set to either
-dnl   either "no" or "reconfig".
-dnl
-dnl Sets the following variables on exit:
-dnl
-dnl   apr_found : "yes", "no", "reconfig"
-dnl
-dnl   apr_config : If the apr-config tool exists, this refers to it. If
-dnlapr_found is "reconfig", then the bundled directory
-dnlshould be reconfigured *before* using apr_config.
-dnl
-dnl Note: this macro file assumes that apr-config has been installed; it
-dnl   is normally considered a required part of an APR installation.
-dnl
-dnl If a bundled source directory is available and needs to be (re)configured,
-dnl then apr_found is set to "reconfig". The caller should reconfigure the
-dnl (passed-in) source directory, placing the result in the build directory,
-dnl as appropriate.
-dnl
-dnl If apr_found is "yes" or "reconfig", then the caller should use the
-dnl value of apr_config to fetch any necessary build/link information.
-dnl
-
-AC_DEFUN([APR_FIND_APR], [
-  apr_found="no"
-
-  if test "$target_os" = "os2-emx"; then
-# Scripts don't pass test -x on OS/2
-TEST_X="test -f"
-  else
-TEST_X="test -x"
-  fi
-
-  ifelse([$4], [], [
- ifdef(AC_WARNING,AC_WARNING([$0: missing argument 4 (acceptable-majors): Defaulting to APR 0.x then APR 1.x]))
- acceptable_majors="0 1"],
- [acceptable_majors="$4"])
-
-  apr_temp_acceptable_apr_config=""
-  for apr_temp_major in 

Re: [VOTE] Release httpd-2.4.43

[jean-frederic clere]

On 26/03/2020 15:50, Daniel Ruggeri wrote:

[X] +1: It's not just good, it's good enough!


Tested on fedora31.

Thanks Daniel

--
Cheers

Jean-Frederic