On 8/19/2010 7:57 PM, Jeff Trawick wrote:
On Tue, Jul 20, 2010 at 10:59 AM, Daniel Ruggeri drugg...@primary.net
mailto:drugg...@primary.net wrote:
On 7/16/2010 10:37 AM, Jeff Trawick wrote:
On Fri, Jul 16, 2010 at 11:27 AM, William A. Rowe Jr.
wr...@rowe-clan.net
to this again in hopes of making the 2.2.17 release.
P.S.
I would love to include details of this patch in my ApacheConNA 2010
session as it helps address some of the shortfalls the intelligence
shortfalls.
--
--
Daniel Ruggeri
On 10/5/2010 8:56 PM, William A. Rowe Jr. wrote:
On 10/5/2010 5:41 PM, Daniel Ruggeri wrote:
All;
With the talk about a 2.2.17 coming soon, I would very much like to get the
remaining
requisite votes and implementation of the patch (48939 - in STATUS currently) I
had
submitted
simpler to handle.
Regards,
Graham
--
I like this idea quite a bit. I am not able to look at the codebase
right now, but could this work the same for ProxyPassReverse?
--
Daniel Ruggeri
third party proxy modules
for httpd.
--
Daniel Ruggeri
a leap of faith at some point to trust that the
user sitting at the keyboard is who they say they are.
--
Daniel Ruggeri
before I put
together a bug report and send in a patch?
P.S.
I am opposed to mod_ssl's check that the argument to SSLPassPhraseDialog
exec:blah is a file. This prevents calling an arbitrary executable with
parameters. Thoughts?
--
--
Daniel Ruggeri
On 11/21/2010 2:38 AM, Stefan Fritsch wrote:
On Sat, 20 Nov 2010, Daniel Ruggeri wrote:
In mod_ssl there is a very handy option of making an exec callout for
SSLPassPhraseDialog rather than to put a password for your private key
in the conf file. The obvious benefit here is that one can
and file components of
A tag in CHANGES would be appreciated:
*) Proxy: Detect SSL handshake failures during proxy pass attempts
and place backend in error state. PR 50332. [Daniel Ruggeri DRuggeri
primary.net]
--
--
Daniel Ruggeri
Index: httpd-trunk/modules/proxy/mod_proxy_http.c
your suggested message after marking
the workers to be in error state.
--
Daniel Ruggeri
Index: httpd-2.2.x/STATUS
===
--- httpd-2.2.x/STATUS (revision 1037345)
+++ httpd-2.2.x/STATUS (working copy)
@@ -184,6 +184,14
expired and the first backend
is retried. IMO, SSL handshake failures should be detected during
connection so we could attempt another backend but I am not sure that's
possible.
--
Daniel Ruggeri
ap_proxy_http_process_response would definitely be redundant! Thank you
very much for catching it (and explaining this to me). I have updated
the patches and bug report and attached the updates for reference.
--
Daniel Ruggeri
Index: httpd-2.2.x/STATUS
Good day, all;
I would appreciate it if a committer could spare a moment to patch
the 2.2 STATUS file to include this as a proposal (a +1 would be really
great, too). For reference, the patch is also attached. The trunk patch
was applied in r1039304.
--
--
Daniel Ruggeri
Index: httpd-2.2
this is a holdover from older releases where some of these
directives had Error* equivalents.
I fully support this!
--
Daniel Ruggeri
During Rich's ApacheCon presentation he mentioned that some much needed
love for the balancer manager was on its way... is anyone working on
this currently? I'm not seeing anything in the released alphas and would
be happy to be a guinea pig to do some testing/give thoughts.
--
--
Daniel
rule if timeout occurs
FWIW, Jim, I'm a big fan of this part.
--
Daniel Ruggeri
in the long run, but rather as direct
HTTP GET requests (need to make it more REST though)...
+1 on the checkbox idea for the exact reason you mentioned.
--
Daniel Ruggeri
a
'LogTimeoutErrors' (or something to that effect) directive be The Right
Thing to do in this case?
--
Daniel Ruggeri
to the backend
failed such that mod_proxy can put the worker in error state.
PR: 50332
Submitted by: Daniel Ruggeri DRuggeri primary.net
Reviewed by: rpluem
* Fix r1039304 and make the patch similar to the one proposed for
2.2.x: If the SSL handshake to the backend fails we cannot even
sent
of CGI squirreled away in htdocs directory
Only two of those points seem worth noting for this particular issue.
I'll try to get a test case with a throw-away cert/key combo for folks
to try and generate a formal bug today, but has anyone heard of/seen
this behavior before?
--
--
Daniel
On 3/11/2011 8:55 AM, Joe Orton wrote:
Hi Daniel -
On Fri, Mar 11, 2011 at 05:47:15AM -0600, Daniel Ruggeri wrote:
Some high-level settings for the httpd configuration are bulleted
below, but otherwise this happens on an httpd 2.2.15 build for
Probably https://issues.apache.org/bugzilla
, to handle such
cases as:
ProxyPass / ajp://localhost:8009/jsp/
ProxyPassReverse / http://www.example.com/jsp/
but shouldn't we automagically handle the common case??
Big +1 here.
--
--
Daniel Ruggeri
start to correct the issues you call out.
--
--
Daniel Ruggeri
project...
--
--
Daniel Ruggeri
the effort to adjust my patch or at least take care of that bug that's
out there still.
--
--
Daniel Ruggeri
Only in httpd-2.2.15-patched: httpd2.2.15.EnableZeroLbfactor.patch
Only in httpd-2.2.15-patched/modules/proxy: httpd2.2.15.EnableZeroLbfactor.patch
diff -ru httpd-2.2.15/modules/proxy
On 5/25/2011 5:41 AM, Mladen Turk wrote:
On 05/25/2011 02:27 AM, Daniel Ruggeri wrote:
I attached the patch to a bug opened by Cameron Stokes
https://issues.apache.org/bugzilla/show_bug.cgi?id=48841
Just a quick note on the first thing I saw:
+ //worker-lbfactor = atoi(val);
+ worker
admin needs constant reminders while they are running 2.2 and 2.4 from
a single config.
+1... warning seems a bit dire for the circumstances.
--
--
Daniel Ruggeri
).
Roy
+1 Sorry, I didn't catch that - good point.
--
--
Daniel Ruggeri
this problem goes away :)
Yup - also consider that a lot of folks build the software on different
machines (and potentially different environments/layouts) than the ones
the software runs on.
--
--
Daniel Ruggeri
about mod_lua since it is
also one of the mentioned experimental modules. I would also see a case
for mod_log_debug to be in MOST. It's one of those modules that one
wouldn't care too much about until it's needed.
--
--
Daniel Ruggeri
to maintain the functionality for httpd.
--
--
Daniel Ruggeri
a
wrapper as ap_parse_htaccess? I would foresee that such a wrapper would
issue a deprecation warning when called, but will call ap_parse_htaccess
with a NULL in place of the (new) override_list.
cheers!
--
--
Daniel Ruggeri
diff -ru httpd-2.3.12-beta/include/http_config.h
httpd-2.3.12
On 7/21/2011 3:32 AM, Igor Galić wrote:
I think you're missing an MMN bump, regarding backporting - or API in
general, the wrapper is the right way to go.
Also: Why not patch against trunk?
i
Daniel Ruggeri drugg...@primary.net wrote:
All;
I am attaching a patch that will allow
On 7/24/2011 2:12 AM, Stefan Fritsch wrote:
On Friday 22 July 2011, Daniel Ruggeri wrote:
Attached is the final cut of the patch including doco and MMN bump
as you brought up. I plan to commit this on Monday, time
permitting (and of course in the absence of objections). I'll
cobble something
fine so I suspect there's more to the equation.
--
--
Daniel Ruggeri
On 7/26/2011 6:29 PM, Daniel Ruggeri wrote:
Both points taken and implemented. Regarding invalid directives, I set
it as a warning informing that the directive is being discarded. I never
actually tested apr_tables to see if they were case sensitive but had
assumed they were. The offending
in the code to recognize the change
--
--
Daniel Ruggeri
to the problem. I've been asking why this is a
vulnerability for years and have yet to receive an answer... Maybe I
haven't asked the right people.
--
--
Daniel Ruggeri
! I'll definitely update
the patch with this because the method I'm using is certainly a
sticks-and-stones approach.
--
--
Daniel Ruggeri
=X509_STORE_CTX_get1_chain(ctx);
for(i = sk_X509_num(tmp_stack) - 1; i = 0; i--) {
sk_X509_push(chain, sk_X509_value(tmp_stack, i));
}
X509_STORE_CTX_free(ctx);
return sk_X509_num(chain);
}
--
--
Daniel Ruggeri
.
Regards, Joe
If we are taking score, count me as a +1.
--
--
Daniel Ruggeri
;
X509_STORE_CTX_cleanup(sctx);
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
client certificate %i has loaded %i
intermediate CA%s, n, i, i == 1 ? : s);
}
X509_STORE_CTX_free(sctx);
}
--
--
Daniel Ruggeri
(sk_X509_value(chain, j));
X509_NAME_oneline(ca_name, ca_cn, sizeof(ca_cn));
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, %i: %s, j,
ca_cn);
}
}
}
X509_STORE_CTX_free(sctx);
...
--
Daniel Ruggeri
);
+}
+}
}
X509_STORE_CTX_free(sctx);
Regards
Rüdiger
Thank you. Fixed in r1172562.
--
Daniel Ruggeri
in that bug report. The patch
provides for a 'drain' setting which should do the trick.
--
Daniel Ruggeri
);
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, %i: %s, j,
ca_dn);
}
}
}
X509_STORE_CTX_free(sctx);
--
Daniel Ruggeri
);
}
}
}
/* get ready for next X509_STORE_CTX_init */
X509_STORE_CTX_cleanup(sctx);
}
X509_STORE_CTX_free(sctx);
--
Daniel Ruggeri
On 9/23/2011 10:07 AM, Kaspar Brand wrote:
On 22.09.2011 22:25, Daniel Ruggeri wrote:
trunk suggestion - if this jives, I'll commit later when I have a bit
Looks good, just some nits:
for (n = 0; n ncerts; n++) {
int i, res;
res is no longer used, AFAICT
Correct - removed
-
could you re-add that? It makes sure we also capture the OpenSSL error
in the log, before aborting.
Kaspar
All set - the suggestions you made have been added and the results
committed to trunk. STATUS and the 2.2 patch have been updated as well.
Thanks again - cheers!
--
Daniel Ruggeri
has been updated today to reflect this. Please have a look when you can.
--
Daniel Ruggeri
on achieving this objective. One question, though, about moving
the handler into http... Does that also imply adjusting the logging
level by using http:crit? Wouldn't we swallow several other important
messages by changing logging levels there?
--
Daniel Ruggeri
that after waiting a bit more for possible objections. BTW,
debug would be fine for me, too.
+1 for info level
--
Daniel Ruggeri
of the other tasks of integrating it into the code base.
BTW, Nick, I think this is a really good idea - thank you for bringing
it up.
--
Daniel Ruggeri
, packagers, and end-users who build
from source rather than packages!
Awesome :)
--
Daniel Ruggeri
into compliance. More back and forth at
https://issues.apache.org/bugzilla/show_bug.cgi?id=50812.
P.S.
Have fun at ACNA2011 - wish I could be there!
--
Daniel Ruggeri
this one... does anyone have the history to
elaborate?
--
Daniel Ruggeri
you are doing? If not, can you email me directly or share
a bit more of a complete example configuration? I have a few test CA's I
stood up for the patch mentioned above that I wouldn't mind taking a
crack at this one. FWIW, In all of my test cases I used ProxyPass to
balancers.
--
Daniel Ruggeri
.
--
Daniel Ruggeri
would be pretty great.
I'm more than happy to help in this role, but don't always consistently
have the time available to keep as sharp an eye on the tracker as I
would like.
--
Daniel Ruggeri
until next one!
--
Daniel Ruggeri
On 4/14/2014 11:41 AM, Joe Orton wrote:
It's free... dunno why I didn't think of this before.
http://svn.apache.org/viewvc?view=revisionrevision=1587255
Regards, Joe
Awesome - proposed for backport in 2.4. Thanks!
--
Daniel Ruggeri
On 4/15/2014 2:21 PM, Jim Jagielski wrote:
I can't recall... isn't the issue still being worked an
additional aspect of mod_rewrite and UDS; that is, a new
behavior to be added (or handled) rather than a broken
behavior.
That was my understanding, too
--
Daniel Ruggeri
). Is this intentional?
Hi, Ruediger;
Yes, that was the original goal. The use case I was tackling was a
case where a backend application server started accepting HTTP requests
before the Servlets had all completed init(). In that case, the backend
returns a 503.
--
Daniel Ruggeri
?
--
Daniel Ruggeri
Bruno;
You did everything right. I have committed this to trunk in r1648201
and proposed for 2.4 backport in STATUS. Thanks for the patch.
--
Daniel Ruggeri
On 12/28/2014 6:28 AM, Bruno Raoult wrote:
Hi,
I am really sorry for this stupid question.
I did send a bug report, with a patch
of this discussion).
Also, don't hesitate to reach out if I can help out with any of the
regular or extracurricular activities during/after/around the conference.
--
Daniel Ruggeri
On 2/10/2015 1:36 PM, Rich Bowen wrote:
Here's my proposed httpd (and related) track. If anyone has any
objections
+1
There are also some neat-o features I added in my notes during ACNA to
stick into the balancer manager, too... I plan to get around to them in
vague, noncommittal reference to free time as it permits days.
--
Daniel Ruggeri
On 4/24/2015 7:52 AM, Jim Jagielski wrote:
Right now, the balancer
link could circumvent if an admin isn't using the appropriate regex.
--
Daniel Ruggeri
On 4/30/2015 8:16 AM, Yann Ylavic wrote:
On Thu, Apr 30, 2015 at 2:57 PM, Jim Riggs apache-li...@riggs.me wrote:
Thanks, Yann. I remember looking at this code before. The question remains,
though
other than me
actually cares, I wish you all well today/tonight!
- Jim
All in all, man, this is solid. I like what you've done here.
--
Daniel Ruggeri
that were missing)
*Add ability to reset the stats captured
*Set or adjust min/max for the connection pooling
*Send what httpd thinks the worker status is (useful for backends that
would like to know about drain, etc) to the backend in a header
--
Daniel Ruggeri
On 4/27/2015 9:43 AM, Jim Jagielski
Nice!
--
Daniel Ruggeri
Original Message
From: Jacob Perkins jacob.perk...@cpanel.net
Sent: May 15, 2015 10:18:08 AM CDT
To: dev@httpd.apache.org
Subject: cPanel Apache 2.4
Good afternoon,
As some of you may be aware, cPanel is a leader in the hosting industry as we
Yep, my mistake. I thought there was a command line switch to change the
host header. You're correct - it wouldn't make much sense to override
one and not the other.
--
Daniel Ruggeri
On 5/16/2015 11:25 AM, Jeff Trawick wrote:
in that case shouldn't you also be overriding Host:, so the SNI
+1, but I would also propose a command line flag to override the SNI host name
supplied in case one is testing directly by IP address.
--
Daniel Ruggeri
Original Message
From: Jeff Trawick traw...@gmail.com
Sent: May 12, 2015 2:31:37 PM CDT
To: Apache HTTP Server Development
-like systems,
but was wondering if you folks use any other tools to help along that path?
--
Daniel Ruggeri
.
+1
FWIW, I think Kaspar had a driving technical reason for its deprecation,
but I can't seem to find the original email talking about it.
--
Daniel Ruggeri
Additional providers is cool... but what do you mean by fold in? Add them as
additional modules?
(Sorry for top-post... mobile email client)
--
Daniel Ruggeri
Original Message
From: Jim Jagielski j...@jagunet.com
Sent: June 18, 2015 11:52:12 AM CDT
To: httpd dev
through the cognitive
dissonance I'd be +1 for adding this to trunk but -1 for 2.4 unless we
can find a way to avoid the dependency unless the lbmethod really needs
it (I don't see how, but please do enlighten me if this is possible).
--
Daniel Ruggeri
as easy to pull up the minutes each month by hand, too.
--
Daniel Ruggeri
On 5/30/2015 1:47 PM, Daniel Ruggeri wrote: Thinking about this more,
what are the things preventing people from an
_easy_ upgrade path configuration-wise? A lot of this conversation
surrounded users and the impact of an upgrade to them. The interface for
the users' to the server
the aforementioned authz
directives.
--
Daniel Ruggeri
space to add stuff via
conf+graceful restart should be avoided.
--
Daniel Ruggeri
to come into
play that might be handy like disabling based on status code). I haven't
seen the code, but your previous email said you were thinking of the
former case.
P.S.
Thanks for taking this on. It's been on my own todo list for a long time.
--
Daniel Ruggeri
On 1/8/2016 1:09 PM, Jim
*) I intend to help maintain/test 2.2.x releases over the next [_12___] mos
*) I intend to backport/review 2.2.x security patches over the next
[_18___] mos
--
Daniel Ruggeri
+1
Really nice work
--
Daniel Ruggeri
On 3/13/2016 10:45 AM, Jim Jagielski wrote:
> I've given it a quick look-thru and I. Am. Impressed.
>
> This is more Super Cool Mojo!
ile we do it.
--
Daniel Ruggeri
I'm assuming that compiler optimizations would make both patches "six to
one, half dozen to the other" as far as code path followed during the
request cycle... but I agree.
Fixed in trunk in r1737114 and proposed for backport in 2.4 in STATUS.
--
Daniel Ruggeri
On 3/30/2016 8:0
" or "fail", but it's probably not worth monkeying with.
--
Daniel Ruggeri
o see what it would take to
collapse this down to a per proxy/worker/etc, but it doesn't seem like
terrible endeavor.
--
Daniel Ruggeri
On 1/31/2017 4:30 PM, Jacob Champion wrote:
> On 01/30/2017 05:39 PM, Daniel Ruggeri wrote:
>> I'm tremendously inspired by this work. What are your thoughts on the
>> idea of having a series of docker container builds that compile and run
>> the test suite on variou
DR_LEN is read and we know if a header is there or not
we can discard ctx->bb, reinitialize ctx and move to READBYTES mode.
--
Daniel Ruggeri
em)->addr, addr->host_addr))
>> {
>> +remoteip_warn_enable_conflict(*rem, cmd->server, arg);
>> +*rem = (*rem)->next;
>> + }
>> +else {
>> +for (list = *rem; list->next; list = list->next) {
>> +if (remoteip_sockaddr_equal(list->next->addr,
>> addr->host_addr)) {
>> +remoteip_warn_enable_conflict(list->next,
>> cmd->server, arg);
>> +list->next = list->next->next;
>> +break;
>> +}
>> +}
>> +}
>> +}
>> +}
>> +
>> +/* add address to desired list */
>> +if (!remoteip_addr_in_list(*add, addr->host_addr)) {
>> +remoteip_addr_info *info = apr_palloc(global_conf->pool,
>> sizeof(*info));
> Could cmd->pool be used here, instead?
This came from the original authors of the code, but I think it's
correct. This is the only place remoteip_config_t->pool is allocated
into. A collection of all enabled, disabled and optional
remoteip_addr_info structs is kept and examined pre-connection to
determine if the filter should be inserted for the connection. Since the
server is not known pre-connection, this must be stored in the global
server. The lifetime of cmd->pool would prevent using it here.
>
>> . . .
>> static const command_rec remoteip_cmds[] =
>> {
>> AP_INIT_TAKE1("RemoteIPHeader", header_name_set, NULL, RSRC_CONF,
>> @@ -450,11 +1211,21 @@ static const command_rec remoteip_cmds[]
>> RSRC_CONF | EXEC_ON_READ,
>> "The filename to read the list of internal proxies, "
>> "see the RemoteIPInternalProxy directive"),
>> +AP_INIT_TAKE1("RemoteIPProxyProtocolEnable",
>> remoteip_enable_proxy_protocol, NULL,
>> + RSRC_CONF, "Enable proxy-protocol handling (`on',
>> `off')"),
> `optional' is missing
Fixed - thanks!
>
>> { NULL }
>> };
>>
>> static void register_hooks(apr_pool_t *p)
>> {
>> +/* mod_ssl is CONNECTION + 5, so we want something higher (earlier);
>> + * mod_reqtimeout is CONNECTION + 8, so we want something lower (later)
>> */
>> +ap_register_input_filter(remoteip_filter_name, remoteip_input_filter,
>> NULL,
>> + AP_FTYPE_CONNECTION + 7);
>> +
>> +ap_hook_pre_config(remoteip_hook_pre_config, NULL, NULL,
>> APR_HOOK_MIDDLE);
>> +ap_hook_post_config(remoteip_hook_post_config, NULL, NULL,
>> APR_HOOK_MIDDLE);
>> +ap_hook_pre_connection(remoteip_hook_pre_connection, NULL, NULL,
>> APR_HOOK_MIDDLE);
>> ap_hook_post_read_request(remoteip_modify_request, NULL, NULL,
>> APR_HOOK_FIRST);
>> }
>>
--
Daniel Ruggeri
a backport.
P.S.
I'm also a big fan of backports requiring tests, but am honestly
intimidated by the testing framework...
--
Daniel Ruggeri
On 1/30/2017 2:02 PM, Jacob Champion wrote:
> On 01/02/2017 07:53 AM, Daniel Shahaf wrote:
>> Setting this up isn't a lot more complicated th
On 1/25/2017 9:02 PM, Daniel Ruggeri wrote:
> On 1/25/2017 6:53 PM, Daniel Ruggeri wrote:
>> I'd say that not returning until ctx->bb has enough information to
>> determine if the header is present or not would be sufficient. Isn't
>> this already done in the po
s is equal to returning EAGAIN.
> +return APR_EOF;
> +}
Coming back to this one after correcting the setaside stuff... Is this
what you have in mind or should we actually return APR_EAGAIN?
return block == APR_NONBLOCK_READ ? APR_SUCCESS : APR_EOF;
--
Daniel Ruggeri
ers under certain circumstances. What I'm particularly unclear
about is what those circumstances would be.
I'll try to reply to the other thread to provide more clarity.
--
Daniel Ruggeri
On 1/24/2017 8:36 AM, Jim Jagielski wrote:
> ++1. I know that Daniel is out of pocket for a little bit
First, my apologies, but it looks like line wrapping is going to exceed
the usual number of columns so formatting may get wonky in this reply.
On 1/17/2017 3:48 AM, Plüm, Rüdiger, Vodafone Group wrote:
>
>> -Ursprüngliche Nachricht-
>> Von: Daniel Ruggeri [mailto:drugg
On 1/25/2017 6:53 PM, Daniel Ruggeri wrote:
> I'd say that not returning until ctx->bb has enough information to
> determine if the header is present or not would be sufficient. Isn't
> this already done in the potentially repeated calls to ap_get_brigade on
> line no 1056
On 2017-02-15 09:07 (-0600), William A Rowe Jr wrote:
> On Wed, Feb 15, 2017 at 9:02 AM, Sander Hoentjen wrote:
> >
> > mod_remote ip has:
> > /* mod_proxy creates outgoing connections - we don't want those */
> > if
ctx after the outer loop's
ap_get_brigade call would satisfy both cases mentioned above since the
filter would then just fill ctx->header from 0 index and continue asking
for a full header's worth of data.
> If not and you are in non blocking mode no new data was available
ogle/brotli stable
> release)
> jailletc36: doc should also be back-ported (r1779091 + r1779699)
>
>*) mod_ssl: work around leaks on (graceful) restart.
>
>
--
Daniel Ruggeri
101 - 200 of 417 matches
Mail list logo