Re: Question on sub requests and output filter context.
On Thu, 15 Sep 2011 11:52:38 +0100 Martin Townsend martin.towns...@power-oasis.com wrote: Should this new filter also inherit the output filters context? Am I doing something wrong with my use of mod_include? I've tried moving my filter so it's after mod_include but still the same problem. This looks reminiscent of https://issues.apache.org/bugzilla/show_bug.cgi?id=17629 a bug that lurked a long time before being fixed! I suggest you read that - particularly comment 30 and later, and see if it sheds any light on your problem. -- Nick Kew
Re: PATCH: mod_log_config, CookieLog
On 19 Sep 2011, at 1:28 AM, Rich Bowen wrote: The CookieLog directive has been documented as deprecated since mod_log_config was introduced, back in the 1.2 days. Any objection to axing it? Axe it, +1. Regards, Graham -- smime.p7s Description: S/MIME cryptographic signature
Re: svn commit: r1172010 - /httpd/httpd/trunk/modules/ssl/ssl_engine_init.c
On 9/19/2011 12:55 AM, Ruediger Pluem wrote: On 09/17/2011 06:25 PM, drugg...@apache.org wrote: Author: druggeri Date: Sat Sep 17 16:25:17 2011 New Revision: 1172010 URL: http://svn.apache.org/viewvc?rev=1172010view=rev Log: Log better information and prevent leak of an X509 structure for SSLProxyMachineCertificateChainFile Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_init.c Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_init.c URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_init.c?rev=1172010r1=1172009r2=1172010view=diff == --- httpd/httpd/trunk/modules/ssl/ssl_engine_init.c (original) +++ httpd/httpd/trunk/modules/ssl/ssl_engine_init.c Sat Sep 17 16:25:17 2011 @@ -1181,21 +1181,57 @@ static void ssl_init_proxy_certs(server_ X509_STORE_load_locations(store, pkp-ca_cert_file, NULL); for (n = 0; n ncerts; n++) { -int i; +int i, res; +char cert_cn[256]; + X509_INFO *inf = sk_X509_INFO_value(pkp-certs, n); +X509_NAME *name = X509_get_subject_name(inf-x509); +X509_NAME_oneline(name, cert_cn, sizeof(cert_cn)); X509_STORE_CTX_init(sctx, store, inf-x509, NULL); -X509_verify_cert(sctx); -ERR_clear_error(); +res=X509_verify_cert(sctx); Style violation. chain = X509_STORE_CTX_get1_chain(sctx); -sk_X509_shift(chain); + +if (res == 1) { +/* Removing the client cert if verification is OK + * could save a loop when choosing which cert to send + * when more than one is available */ +/* XXX: This is not needed if we collapse the two + * checks in ssl_engine_kernel in the future */ +X509_free(sk_X509_shift(chain)); +} +else { +int n=X509_STORE_CTX_get_error(sctx); Overwriting a symbol from the loop is IMHO bad and makes code hard to read. Please use another name instead of n. Besides we have a style violation here again. +ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s, + SSL proxy client cert chain verification failed for %s: %s, + cert_cn, X509_verify_cert_error_string(n)); +} +ERR_clear_error(); i=sk_X509_num(chain); pkp-ca_certs[n] = chain; + +if (i == 0 || (res != 1 i == 1) ) { +/* zero or only the client cert won't be very useful + * due to verification failure */ +sk_X509_pop_free(chain, X509_free); +i = 0; +pkp-ca_certs[n] = NULL; +} + X509_STORE_CTX_cleanup(sctx); ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, - client certificate %i has loaded %i - intermediate CA%s, n, i, i == 1 ? : s); + loaded %i intermediate CA%s for cert %i (%s), + i, i == 1 ? : s, n, cert_cn); +if (i 0) { +int j; +for (j=0; ji; j++) { +char ca_cn[256]; +X509_NAME *ca_name = X509_get_subject_name(sk_X509_value(chain, j)); +X509_NAME_oneline(ca_name, ca_cn, sizeof(ca_cn)); +ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, %i: %s, j, ca_cn); +} +} } X509_STORE_CTX_free(sctx); Regards Rüdiger Thank you. Fixed in r1172562. -- Daniel Ruggeri
mod_proxy_fcgi + mod_proxy_balancer vs. php-fpm and query strings
I am having a couple of problems WRT using mod_proxy_fcgi inside a balancer proxied to php-fpm. There are lots of variables in this scenario, but I think I have narrowed the issues down. The setup looks like this: httpd - balancer - fcgi balancer members - php-fpm Issue 1: PHP-FPM does not handle the proxy:balancer prefix in SCRIPT_FILENAME. It does handle proxy:fcgi as a special case (see https://bugs.php.net/bug.php?id=54152 fix by jim). So, it seems we need to also add a proxy:balancer exception there unless a balanced mod_proxy_fcgi member should actually be using proxy:fcgi instead. What are people's thoughts on the prefix that should be sent by httpd in this case? To address this for now, I have modified PHP (fpm_main.c alongside jim's existing changes). Issue 2: Once I got Issue 1 addressed, everything started working except in the case of a query string. I spent considerable time tracing and trying to figure out where the issue is occurring, but I am hoping one of you who is much more familiar with the code than I will be able to say, Oh, look right here. The problem is that the query string is getting appended to SCRIPT_FILENAME if proxied through a balancer. FPM does not like this. It does not seem to happen in the case of proxying directly to fcgi://..., but once I change this to balancer://..., the query string gets added to SCRIPT_FILENAME. I believe this happened with both ProxyPass* and mod_rewrite [P]. In mod_rewrite, this should get handled in splitout_queryargs(), but somehow it is getting added back (probably in proxy_balancer_canon() which adds the query string back to r-filename?). For right now, I have done a brute-force fix for this by adding the code below to the beginning of send_environment() in mod_proxy_fcgi.c, before the calls to ap_add_common_vars() and ap_add_cgi_vars(). I am guessing that this isn't the ultimate fix for this issue, so I am interested in others' thoughts. +/* Remove query string from r-filename (r-args is already set and passed via QUERY_STRING) */ +q = ap_strchr_c(r-filename, '?'); +if (q != NULL) { +*q = '\0'; +}
Re: PATCH: mod_log_config, CookieLog
bye bye :) On Sep 18, 2011, at 7:28 PM, Rich Bowen wrote: The CookieLog directive has been documented as deprecated since mod_log_config was introduced, back in the 1.2 days. Any objection to axing it? Index: docs/manual/mod/mod_log_config.xml === --- docs/manual/mod/mod_log_config.xml(revision 1172391) +++ docs/manual/mod/mod_log_config.xml(working copy) @@ -361,23 +361,6 @@ /directivesynopsis directivesynopsis -nameCookieLog/name -descriptionSets filename for the logging of cookies/description -syntaxCookieLog varfilename/var/syntax -contextlistcontextserver config/contextcontextvirtual host/context -/contextlist -compatibilityThis directive is deprecated./compatibility - -usage -pThe directiveCookieLog/directive directive sets the -filename for logging of cookies. The filename is relative to the -directive module=coreServerRoot/directive. This directive is -included only for compatibility with codemod_cookies/code, -and is deprecated./p -/usage -/directivesynopsis - -directivesynopsis nameCustomLog/name descriptionSets filename and format of log file/description syntaxCustomLog varfile/var|varpipe/var Index: modules/loggers/mod_log_config.c === --- modules/loggers/mod_log_config.c (revision 1172391) +++ modules/loggers/mod_log_config.c (working copy) @@ -31,9 +31,6 @@ *Log to file fn with format given by the format *argument * - *CookieLog fnFor backwards compatability with old Cookie - *logging module - now deprecated. - * * There can be any number of TransferLog and CustomLog * commands. Each request will be logged to _ALL_ the * named files, in the appropriate format. @@ -1284,11 +1281,6 @@ return add_custom_log(cmd, dummy, fn, NULL, NULL); } -static const char *set_cookie_log(cmd_parms *cmd, void *dummy, const char *fn) -{ -return add_custom_log(cmd, dummy, fn, %{Cookie}n \%r\ %t, NULL); -} - static const char *set_buffered_logs_on(cmd_parms *parms, void *dummy, int flag) { buffered_logs = flag; @@ -1311,8 +1303,6 @@ the filename of the access log), AP_INIT_TAKE12(LogFormat, log_format, NULL, RSRC_CONF, a log format string (see docs) and an optional format name), -AP_INIT_TAKE1(CookieLog, set_cookie_log, NULL, RSRC_CONF, - the filename of the cookie log), AP_INIT_FLAG(BufferedLogs, set_buffered_logs_on, NULL, RSRC_CONF, Enable Buffered Logging (experimental)), {NULL} -- Rich Bowen rbo...@rcbowen.com rbo...@apache.org
Re: Pushing for httpd 2.4.0 GA
On Sep 18, 2011, at 6:17 PM, Rich Bowen wrote: - mod_lbmethod_bybusyness - mod_lbmethod_byrequests - mod_lbmethod_bytraffic Do we really need full doccos for these sub modules? No matter what, these would be easy to do since mod_proxy and mod_proxy_balancer pretty much describe them anyway ;)
Re: Pushing for httpd 2.4.0 GA
On Sep 18, 2011, at 6:52 PM, Rainer Jung wrote: - mod_heartbeat - mod_heartmonitor Those two were mainly provided by Jean-Frederic (AFAIR). I think these were Pauls… - mod_lbmethod_heartbeat As was this.
Re: Pushing for httpd 2.4.0 GA
On Sep 18, 2011, at 6:52 PM, Rainer Jung wrote: - mpm_simple mpm_simple likely to get dropped for 2.4, see our main STATUS file I hope to spent some time diving into mod_simple… I have some uncommitted patches that I need to re-look at.
Re: Pushing for httpd 2.4.0 GA
On Sep 19, 2011, at 8:58 AM, Jim Jagielski wrote: On Sep 18, 2011, at 6:17 PM, Rich Bowen wrote: - mod_lbmethod_bybusyness - mod_lbmethod_byrequests - mod_lbmethod_bytraffic Do we really need full doccos for these sub modules? No matter what, these would be easy to do since mod_proxy and mod_proxy_balancer pretty much describe them anyway ;) Someone's created enough of a doc to say what the module is after someone spots it in httpd -M and wants to know what it is. I'll update them to not promise more. That is, they currently say This document is still under development, but I think what's there is probably sufficient for the purpose. -- Rich Bowen rbo...@rcbowen.com rbo...@apache.org
Re: mod_proxy_fcgi + mod_proxy_balancer vs. php-fpm and query strings
On September 19, 2011 8:37 , Jim Riggs apache-li...@riggs.me wrote: httpd - balancer - fcgi balancer members - php-fpm Issue 1: PHP-FPM does not handle the proxy:balancer prefix in SCRIPT_FILENAME. It does handle proxy:fcgi as a special case (see https://bugs.php.net/bug.php?id=54152 fix by jim). So, it seems we need to also add a proxy:balancer exception there unless a balanced mod_proxy_fcgi member should actually be using proxy:fcgi instead. What are people's thoughts on the prefix that should be sent by httpd in this case? To address this for now, I have modified PHP (fpm_main.c alongside jim's existing changes). As the person who wrote the changes that Jim later modified and committed, this seems reasonable to me, assuming it is correct (I say assuming only because I have never used mod_proxy_fcgi in a balancer configuration). Issue 2: Once I got Issue 1 addressed, everything started working except in the case of a query string. I spent considerable time tracing and trying to figure out where the issue is occurring, but I am hoping one of you who is much more familiar with the code than I will be able to say, Oh, look right here. The problem is that the query string is getting appended to SCRIPT_FILENAME if proxied through a balancer. FPM does not like this. It does not seem to happen in the case of proxying directly to fcgi://..., but once I change this to balancer://..., the query string gets added to SCRIPT_FILENAME. I believe this happened with both ProxyPass* and mod_rewrite [P]. In mod_rewrite, this should get handled in splitout_queryargs(), but somehow it is getting added back (probably in proxy_balancer_canon() which adds the query string back to r-filename?). For right now, I have done a brute-force fix for this by adding the code below to the beginning of send_environment() in mod_proxy_fcgi.c, before the calls to ap_add_common_vars() and ap_add_cgi_vars(). I am guessing that this isn't the ultimate fix for this issue, so I am interested in others' thoughts. +/* Remove query string from r-filename (r-args is already set and passed via QUERY_STRING) */ +q = ap_strchr_c(r-filename, '?'); +if (q != NULL) { +*q = '\0'; +} This sounds like it is related to https://issues.apache.org/bugzilla/show_bug.cgi?id=51077 as well. Probably a new patch is needed to consistently and properly fix all of the cases (regular, mod_proxy_{f,s}cgi, mod_proxy_{f,s}cgi + balancer). -- Mark Montague m...@catseye.org
Re: Question on sub requests and output filter context.
On 18/09/2011 11:34, Sorin Manolache wrote: On Thu, Sep 15, 2011 at 12:52, Martin Townsend martin.towns...@power-oasis.com wrote: Hi, I have an output filter that parses custom tags to retrieve data from an application running on the same device. Everything was working well until I tried to move some HTML into Server Side Include pages. Snippet below: ?smu smu extio_sensor_read mappings ? ?smu smu extio_read front_ana all led ? ?smu smu extio_read rear_ana all led ? !--#include virtual=/include/SSI_SensorStatus.html -- !--#include virtual=/include/SSI_SensorStatusAnalogRear.html -- The first three commands will populate hash tables that are saved in my output filters context. The HTML in the included pages then use custom tags to query the hash tables but for some reason the hash tables are NULL. Having stepped through with the debugger I can see that the pointer to the output filter when processing the main HTML page is different to the one when parsing custom tags in SSI pages. Looking through mod_include I can see it creates a sub request for include and sub requests call make_sub_request to create a new filter. Should this new filter also inherit the output filters context? Am I doing something wrong with my use of mod_include? I've tried moving my filter so it's after mod_include but still the same problem. I'm using Server version: Apache/2.2.19 (Unix) on an ARM board. Best Regards, Martin. How do you construct the context of your filter? At the first invokation of the filter or in the init function of the filter? In the second case, it could be that you construct the context twice, the first time in the main request processing and the second time in the subrequest processing. In my opinion, apache uses the same filter structure in both the main and the sub request. In mod_includes apache creates a subrequest, passing f-next to it. Thus, the first filter in the filter chain of the subrequest is the filter succeeding the INCLUDES filter. In my opinion, if you place your filter before the INCLUDES filter, your filter should not be called in the subrequest if yours is a AP_FTYPE_RESOURCE filter. If you place your filter after the INCLUDES filter, the hash tables you mention are not initialised at the time when your filter processes the responses of the includes subrequests. I am not sure of what I'm saying because I have no experience in how mod_includes interacts with other filters. Anyway, I hope this helps. Have a look in server/request.c at make_sub_request. The subrequest inherits the protocol filters of the main request, but not all of the non-protocol output filters of the main request. Maybe you should make your filter a AP_FTYPE_PROTOCOL filter such that it is not removed from the chain by mod_includes. S Hi, Thanks for the reply, I create the context when the filter is invoked, below is my output filter hook that I use. apr_status_t smu_output_filter( ap_filter_t * filter_in_p, apr_bucket_brigade * bb_in_p ) { if(APR_BRIGADE_EMPTY(bb_in_p)) { return APR_SUCCESS; } /* If this filter has been called for the first time then create a new one */ if(!filter_in_p-ctx) { rv = mod_smu_output_filter_ctx_init(filter_in_p); if(rv != APR_SUCCESS) { /* If we fail to initialise let other filters try and finish. */ return ap_pass_brigade(filter_in_p-next, bb_in_p); } } Here is the code that registers it ap_register_output_filter( smu_output_filter_name, smu_output_filter, NULL, AP_FTYPE_RESOURCE + 2); So it should be after the include filter. I've stepped through the code and the filter_in_p-ctx of the sub request is NULL so I then create a new one. As Joachim suggests this is expected behaviour I need a method of storing my hash tables so they are preserved across requests and sub requests. So 2 questions 1) In my output filter can I get the context of the main requests filter and use this in the sub request. 2) If not what other mechanism can I use, as these hash tables only need to persist for the lifetime of the request is there something in the request structure. Maybe use the notes table where the value parameter is cast to a pointer to a hash table. Thanks in advance, Martin.
Re: mod_proxy_fcgi + mod_proxy_balancer vs. php-fpm and query strings
I'll look at all this when I have some time in a few days… On Sep 19, 2011, at 10:32 AM, Mark Montague wrote: On September 19, 2011 8:37 , Jim Riggs apache-li...@riggs.me wrote: httpd - balancer - fcgi balancer members - php-fpm Issue 1: PHP-FPM does not handle the proxy:balancer prefix in SCRIPT_FILENAME. It does handle proxy:fcgi as a special case (see https://bugs.php.net/bug.php?id=54152 fix by jim). So, it seems we need to also add a proxy:balancer exception there unless a balanced mod_proxy_fcgi member should actually be using proxy:fcgi instead. What are people's thoughts on the prefix that should be sent by httpd in this case? To address this for now, I have modified PHP (fpm_main.c alongside jim's existing changes). As the person who wrote the changes that Jim later modified and committed, this seems reasonable to me, assuming it is correct (I say assuming only because I have never used mod_proxy_fcgi in a balancer configuration). Issue 2: Once I got Issue 1 addressed, everything started working except in the case of a query string. I spent considerable time tracing and trying to figure out where the issue is occurring, but I am hoping one of you who is much more familiar with the code than I will be able to say, Oh, look right here. The problem is that the query string is getting appended to SCRIPT_FILENAME if proxied through a balancer. FPM does not like this. It does not seem to happen in the case of proxying directly to fcgi://..., but once I change this to balancer://..., the query string gets added to SCRIPT_FILENAME. I believe this happened with both ProxyPass* and mod_rewrite [P]. In mod_rewrite, this should get handled in splitout_queryargs(), but somehow it is getting added back (probably in proxy_balancer_canon() which adds the query string back to r-filename?). For right now, I have done a brute-force fix for this by adding the code below to the beginning of send_environment() in mod_proxy_fcgi.c, before the calls to ap_add_common_vars() and ap_add_cgi_vars(). I am guessing that this isn't the ultimate fix for this issue, so I am interested in others' thoughts. +/* Remove query string from r-filename (r-args is already set and passed via QUERY_STRING) */ +q = ap_strchr_c(r-filename, '?'); +if (q != NULL) { +*q = '\0'; +} This sounds like it is related to https://issues.apache.org/bugzilla/show_bug.cgi?id=51077 as well. Probably a new patch is needed to consistently and properly fix all of the cases (regular, mod_proxy_{f,s}cgi, mod_proxy_{f,s}cgi + balancer). -- Mark Montague m...@catseye.org
Re: EOL for 2.0
On 9/17/2011 8:59 PM, Rich Bowen wrote: On Sep 16, 2011, at 11:59 AM, William A. Rowe Jr. wrote: On 9/16/2011 12:51 AM, Issac Goldstand wrote: IIRC, we talked about making 2.0 EOL when we make the next release, but I don't think we ever formalized the decision. Does anyone have comments for or against announcing 2.0 End-Of-Life at a set time (say 3 months) following the release of 2.4? Yes, I'd prefer we set a 12 month sunset on 2.0 in conjunction with the 2.4 release, not 3 months later when nobody is paying attention. +1. While I'd like to be rid of it earlier, I think 3 months is too fast. 12 months may be too long, but we lose nothing by setting it there rather than too short. A 12 mos sunset is what we declared for 1.3 (or that is effectively what happened)... we announced the final 1.3.42, and over the following 12 mos, we examined various security complaints and found that none really applied. In that time we turned off httpd-1.3 in bugzilla and warned everyone of its end of life, no further releases. And at the end of those 12 mos (13-14 actually) I pulled httpd-1.3.42 off of downloads.xml, out of dist/httpd/, and removed various other references. There is now simply a few remaining references to archive.a.o, which will incidentally mention this is where old 1.3 can be found. We can easily do the same with 2.0.64; no further bugfix releases expected, and security fixes will end 12 months from the release of 2.4.0. That is what sunset refers to, very limited support before being entirely abandoned. We didn't even promise to go this far in 1.3 (we said security -patches- would be announced during its sunset). During those 12 mos, various sites made their own calls on statements about their third party modules for 1.3, ranging from 'we quit updating effective immediately' to 'we'll keep supporting and updating our module, irrespective of the ASF's project'. Which is all fine, it is entirely their individual choice as individual projects. But we framed the conversation so they could each come up with their own messaging to their own end users.
Re: svn commit: r1172686 - in /httpd/httpd/trunk: ./ include/ modules/cache/ modules/examples/ modules/proxy/ modules/ssl/ server/ server/mpm/event/ server/mpm/worker/
I am pretty sure that this kind of change has been vetoed numerous times in the past. What has changed? Roy On Sep 19, 2011, at 9:25 AM, s...@apache.org wrote: Author: sf Date: Mon Sep 19 16:25:42 2011 New Revision: 1172686 URL: http://svn.apache.org/viewvc?rev=1172686view=rev Log: Add wrappers for malloc, calloc, realloc that check for out of memory situations. Use them in most places where malloc, and friends are used. This results in clean error messages in an out of memory situation instead of segfaulting or silently malfunctioning. In some places, it just allows to remove some logging code. PR 51568, PR 51569, PR 51571. Modified: httpd/httpd/trunk/CHANGES httpd/httpd/trunk/include/ap_config.h httpd/httpd/trunk/include/ap_mmn.h httpd/httpd/trunk/include/httpd.h httpd/httpd/trunk/modules/cache/cache_cache.c httpd/httpd/trunk/modules/cache/cache_hash.c httpd/httpd/trunk/modules/cache/cache_pqueue.c httpd/httpd/trunk/modules/cache/mod_socache_dbm.c httpd/httpd/trunk/modules/examples/mod_case_filter_in.c httpd/httpd/trunk/modules/proxy/proxy_util.c httpd/httpd/trunk/modules/ssl/ssl_util.c httpd/httpd/trunk/server/config.c httpd/httpd/trunk/server/main.c httpd/httpd/trunk/server/mpm/event/event.c httpd/httpd/trunk/server/mpm/worker/worker.c httpd/httpd/trunk/server/mpm_unix.c httpd/httpd/trunk/server/scoreboard.c httpd/httpd/trunk/server/util.c Modified: httpd/httpd/trunk/CHANGES URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/CHANGES?rev=1172686r1=1172685r2=1172686view=diff == --- httpd/httpd/trunk/CHANGES [utf-8] (original) +++ httpd/httpd/trunk/CHANGES [utf-8] Mon Sep 19 16:25:42 2011 @@ -12,6 +12,10 @@ Changes with Apache 2.3.15 PR 51714. [Stefan Fritsch, Jim Jagielski, Ruediger Pluem, Eric Covener, lowprio20 gmail.com] + *) Add wrappers for malloc, calloc, realloc that check for out of memory + situations and use them in many places. PR 51568, PR 51569, PR 51571. + [Stefan Fritsch] + *) Fix cross-compilation of mod_cgi/mod_cgid when APR_HAVE_STRUCT_RLIMIT is false but RLIMIT_* are defined. PR51371. [Eric Covener] Modified: httpd/httpd/trunk/include/ap_config.h URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/include/ap_config.h?rev=1172686r1=1172685r2=1172686view=diff == --- httpd/httpd/trunk/include/ap_config.h (original) +++ httpd/httpd/trunk/include/ap_config.h Mon Sep 19 16:25:42 2011 @@ -182,4 +182,12 @@ #define ap_func_attr_sentinel #endif +#if ( defined(__GNUC__) \ + (__GNUC__ = 4 || ( __GNUC__ == 3 __GNUC_MINOR__ = 4))) \ +|| __has_attribute(warn_unused_result) +#define ap_func_attr_warn_unused_result __attribute__((warn_unused_result)) +#else +#define ap_func_attr_warn_unused_result +#endif + #endif /* AP_CONFIG_H */ Modified: httpd/httpd/trunk/include/ap_mmn.h URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/include/ap_mmn.h?rev=1172686r1=1172685r2=1172686view=diff == --- httpd/httpd/trunk/include/ap_mmn.h (original) +++ httpd/httpd/trunk/include/ap_mmn.h Mon Sep 19 16:25:42 2011 @@ -352,6 +352,8 @@ * 20110724.5 (2.3.15-dev) add ap_set_accept_ranges() * 20110724.6 (2.3.15-dev) add max_overlaps and max_reversals to core_dir_config * 20110724.7 (2.3.15-dev) add ap_random_insecure_bytes(), ap_random_pick() + * 20110724.8 (2.3.15-dev) add ap_abort_on_oom(), ap_malloc(), ap_calloc(), + * ap_realloc() */ #define MODULE_MAGIC_COOKIE 0x41503234UL /* AP24 */ @@ -359,7 +361,7 @@ #ifndef MODULE_MAGIC_NUMBER_MAJOR #define MODULE_MAGIC_NUMBER_MAJOR 20110724 #endif -#define MODULE_MAGIC_NUMBER_MINOR 7/* 0...n */ +#define MODULE_MAGIC_NUMBER_MINOR 8/* 0...n */ /** * Determine if the server's current MODULE_MAGIC_NUMBER is at least a Modified: httpd/httpd/trunk/include/httpd.h URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/include/httpd.h?rev=1172686r1=1172685r2=1172686view=diff == --- httpd/httpd/trunk/include/httpd.h (original) +++ httpd/httpd/trunk/include/httpd.h Mon Sep 19 16:25:42 2011 @@ -2086,6 +2086,38 @@ AP_DECLARE(void) ap_random_insecure_byte */ AP_DECLARE(apr_uint32_t) ap_random_pick(apr_uint32_t min, apr_uint32_t max); +/** + * Abort with a error message signifying out of memory + */ +AP_DECLARE(void) ap_abort_on_oom(void) __attribute__((noreturn)); + +/** + * Wrapper for malloc() that calls ap_abort_on_oom() if out of memory + * @param size size of the memory block + * @return pointer to the allocated memory + * @note ap_malloc may be
Re: svn commit: r1172686 - in /httpd/httpd/trunk: ./ include/ modules/cache/ modules/examples/ modules/proxy/ modules/ssl/ server/ server/mpm/event/ server/mpm/worker/
On Monday 19 September 2011, Roy T. Fielding wrote: I am pretty sure that this kind of change has been vetoed numerous times in the past. What has changed? Probably nothing, except maybe the involved people. But I couldn't find any discussion about this (just about handling oom in APR, which is unrelated). The reasons for this change are stated in the commit message. Either we add logging/handling code to every call of malloc and friends, or we make a wrapper. Just continuing is usually wrong. Even such seemingly innocuous things as not adding an entry to a cache in an out of mem situation can cause much time to be wasted for debugging. We had that with the LDAP cache in the past. Besides, aborting with an error message is exactly what we do if an allocation from a pool fails (via the pool abort function). So why handle malloc differently? Roy On Sep 19, 2011, at 9:25 AM, s...@apache.org wrote: Author: sf Date: Mon Sep 19 16:25:42 2011 New Revision: 1172686 URL: http://svn.apache.org/viewvc?rev=1172686view=rev Log: Add wrappers for malloc, calloc, realloc that check for out of memory situations. Use them in most places where malloc, and friends are used. This results in clean error messages in an out of memory situation instead of segfaulting or silently malfunctioning. In some places, it just allows to remove some logging code. PR 51568, PR 51569, PR 51571.
Re: svn commit: r1172686 - in /httpd/httpd/trunk: ./ include/ modules/cache/ modules/examples/ modules/proxy/ modules/ssl/ server/ server/mpm/event/ server/mpm/worker/
On 9/19/2011 1:20 PM, Stefan Fritsch wrote: Besides, aborting with an error message is exactly what we do if an allocation from a pool fails (via the pool abort function). So why handle malloc differently? We install a pool abort function in httpd?
Re: svn commit: r1172686 - in /httpd/httpd/trunk: ./ include/ modules/cache/ modules/examples/ modules/proxy/ modules/ssl/ server/ server/mpm/event/ server/mpm/worker/
On Monday 19 September 2011, William A. Rowe Jr. wrote: On 9/19/2011 1:20 PM, Stefan Fritsch wrote: Besides, aborting with an error message is exactly what we do if an allocation from a pool fails (via the pool abort function). So why handle malloc differently? We install a pool abort function in httpd? Yes, in main.c. But only in trunk, not in 2.2.x.
Re: svn commit: r1172686 - in /httpd/httpd/trunk: ./ include/ modules/cache/ modules/examples/ modules/proxy/ modules/ssl/ server/ server/mpm/event/ server/mpm/worker/
On Monday 19 September 2011, Stefan Fritsch wrote: On Monday 19 September 2011, William A. Rowe Jr. wrote: On 9/19/2011 1:20 PM, Stefan Fritsch wrote: Besides, aborting with an error message is exactly what we do if an allocation from a pool fails (via the pool abort function). So why handle malloc differently? We install a pool abort function in httpd? Yes, in main.c. But only in trunk, not in 2.2.x. Found some discussion: http://mail-archives.apache.org/mod_mbox/httpd- dev/200605.mbox/%3c20060510120403.gb13...@redhat.com%3E
Re: svn commit: r1172010 - /httpd/httpd/trunk/modules/ssl/ssl_engine_init.c
On 17.09.2011 18:25, drugg...@apache.org wrote: +if (res == 1) { +/* Removing the client cert if verification is OK + * could save a loop when choosing which cert to send + * when more than one is available */ +/* XXX: This is not needed if we collapse the two + * checks in ssl_engine_kernel in the future */ +X509_free(sk_X509_shift(chain)); IMO, you can always drop the first element of the chain, since you only want to remember CA certs in pkp-ca_certs. +else { +int n=X509_STORE_CTX_get_error(sctx); +ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s, + SSL proxy client cert chain verification failed for %s: %s, + cert_cn, X509_verify_cert_error_string(n)); +} Here, cert_cn holds the X509_NAME_oneline() string of the subject DN. Either the variable name is a misnomer or a typo (did you mean cert_dn instead of cert_cn?), but more importantly, we should not add new code which still calls X509_NAME_oneline(), at least for trunk... as its OpenSSL man page states: its use is strongly discouraged in new applications. I have just added ssl_log_xerror() and SSL_X509_NAME_to_string() in r1172797, can you adapt the code in ssl_callback_proxy_cert() to make use of these where applicable/possible? Hopefully this makes logging cert details in mod_ssl more straightforward. Kaspar
Re: Pushing for httpd 2.4.0 GA
Just a reminder about this, providing a way to phase out a server by only accepting existing sessions/routed requests. |51247|New|Enh|2011-05-23|Enhance mod_proxy and _balancer with worker status I've reviewed the other patch https://issues.apache.org/bugzilla/show_bug.cgi?id=48841 and I had a similar idea, wondering if the route-only intent would happen if I tried to set lbfactor=0 but it only allowed values 1-100 and I worried about the complexity of changing the lbmethod formulae so using a separate status code seemed cleaner. It's a bit of a magic value, but an intuitive one I think. On the user surface lbfactor=0 requires less change than my ROUTE_ONLY to the configuration and balancer-manager but it needs some documentation to clarify the intent. I also attached a patch to https://issues.apache.org/bugzilla/show_bug.cgi?id=51247 for the trunk, but since I'm having trouble with the overall compile it's in theory. Please forgive compile issues, but I wanted to at least share the thought and will update when I can verify a compile and test run. In the end, either solution can work, and my hope is that multiple attempts at the same goal make a stronger case to bring the functionality to the 2.2.x stream for people to enjoy sooner rather than later. \|/- Keith Mashinter kmash...@yahoo.com From: Jim Jagielski j...@jagunet.com To: dev@httpd.apache.org Sent: Monday, September 19, 2011 9:00:44 AM Subject: Re: Pushing for httpd 2.4.0 GA On Sep 18, 2011, at 6:52 PM, Rainer Jung wrote: - mpm_simple mpm_simple likely to get dropped for 2.4, see our main STATUS file I hope to spent some time diving into mod_simple… I have some uncommitted patches that I need to re-look at.