mod_proxy: Don't put the worker in error state for 500 or 503 errors
returned by the backend unless failonstatus is configured to.  PR 56925.


mod_proxy: follow up to r1681694.

Handle the proxy-error-override note also in mod_proxy_ajp.

The note is not needed in mod_proxy_fcgi (which also handles
ProxyErrorOverride) since it calls ap_die() by itself, and always
returns OK to proxy_handler().

Add a comment about the note where used.

Submitted by: ylavic
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1683112 13f79535-47bb-0310-9956-ffa450edef68

PR 57968: Don't lowercase the argument to SetHandler if the handler is
proxy:unix.


Submitted by: covener
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1682888 13f79535-47bb-0310-9956-ffa450edef68

handler or input filter already did it while reading the request (causing
a double response body).

Submitted by: ylavic
Backports: r1482522 (partial, ap_map_http_request_error() things only!),
           r1529988, r1529991, r1643537, r1643543, r1657897, r1665625, 
           r1665721, r1674056
Reviewed by: ylavic, minfrin, wrowe




git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1682544 13f79535-47bb-0310-9956-ffa450edef68

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1682360 13f79535-47bb-0310-9956-ffa450edef68

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1682077 13f79535-47bb-0310-9956-ffa450edef68

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1681347 13f79535-47bb-0310-9956-ffa450edef68

r1679032:

mod_ssl OCSP Stapling: Don't block initial handshakes while refreshing
the OCSP response for a different certificate.  mod_ssl has an additional
global mutex, "ssl-stapling-refresh".

Not mentioned in CHANGES:

Stapling no longer uses a mutex when using a stapling cache
implementation which doesn't require it.  (A further, unrelated
code change to mod_ssl is required to allow the use of memcache 
as a stapling cache, and I haven't tested with distcache; thus
it isn't clear if this helps in practice yet.)

r1679192:

Fix regression in check for cached response
(Essentially) Submitted by: ylavic

r1680276:

OCSP stapling: slight simplification to some internal interfaces,
add a few comments and sanity checks

Submitted by: trawick (with assist from ylavic)
Reviewed by: jim, jorton


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1681320 13f79535-47bb-0310-9956-ffa450edef68

* modules/aaa/mod_authz_owner.h: Add header file with optional hook
  declaration for "authz_owner_get_file_group".

* modules/aaa/mod_authz_dbm.c, modules/aaa/mod_authz_groupfile.c: Use
  the header to pick up the above declaration; retrieve the optional
  function in a hook; use a static variable to store the function
  pointer.

Submitted by: jorton
Reviewed by: jkaluza, wrowe, jorton


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1681311 13f79535-47bb-0310-9956-ffa450edef68

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1681187 13f79535-47bb-0310-9956-ffa450edef68

http: Make ap_die() robust against any HTTP error code and not modify
response status (finally logged) when nothing is to be done.


ap_die(): follow up to r1657881.

Use log level DEBUG for AP_FILTER_ERROR => HTTP_INTERNAL_SERVER_ERROR.
Submitted by: ylavic
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1681114 13f79535-47bb-0310-9956-ffa450edef68

core: Cleanup the request soon/even if some output filter fails to
handle the EOR bucket.

Submitted by: ylavic
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1681113 13f79535-47bb-0310-9956-ffa450edef68

* mod_authn_dbd: apr_pstrdup dbd_password and dbd_hash to fix use-after-free
bug with postgresql


mod_authn_dbd, mod_authz_dbd, mod_session_dbd, mod_rewrite: Fix lifetime
of DB lookup entries independently of the selected DB engine.  PR 46421.

Suggested by: Michel Stam <michel reverze net>
Proposed by: Steven whitson <steven.whitson gmail com>
Reviewed/Extended/Committed by: ylavic


Follup up to r1679181: CHANGES entry.
Submitted by: jkaluza, ylavic, ylavic
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1681107 13f79535-47bb-0310-9956-ffa450edef68

mod_log_config: instead of using the new dedicated
pattern format "%M" for duration milliseconds,
overload the existing "%D" to choose the time precision
("%{s}D" for seconds, "%{ms}D" for milliseconds and
"%{us}D" for microseconds).

The existing %T and %D without precision are kept for
compatibility.

The previously introduced "%M" (r1677187) is removed,
it has not yet been released. Format pattern characters
are rare, so we should only use a new one if an
existing one isn't a good fit.


Fix syntax.


Follow-up to r1680895:

Let %T be the format character which accepts time resolution
arguments.

Submitted by: rjung, trawick
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1681106 13f79535-47bb-0310-9956-ffa450edef68

Conform to RFC 7525, with additional suggestion to drop RSA Kx ciphers

Document RFC 7525 changes
Submitted by: wrowe
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1679987 13f79535-47bb-0310-9956-ffa450edef68

mod_ssl: Check for RAND_egd() at configure time and only use it if present.
Fixes the build with LibreSSL which does not provide this function.

Submitted by: Bernard Spil <pil.oss gmail com>, stsp
Committed by: stsp


mod_ssl: Make the config parser complain if SSLRandomSeed specifies
the Entropy Gathering Daemon (EGD) as source while the underlying
SSL library does not support EGD (e.g. in case of LibreSSL).

Suggested and reviewed by: kbrand


Follow up to r1674542 and r1675410: CHANGES entry.
Submitted by: stsp, ylavic
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1679199 13f79535-47bb-0310-9956-ffa450edef68

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1678717 13f79535-47bb-0310-9956-ffa450edef68

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1678234 13f79535-47bb-0310-9956-ffa450edef68

consistently output SSLCertificateChainFile deprecation warnings
Submitted by: kbrand
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1678233 13f79535-47bb-0310-9956-ffa450edef68

If a directory exists but no indexes can be resolved, the fallback resource
should be attempted first before giving up.

Submitted By: Jack <tjerk.meesters gmail.com> , covener
Committed By: covener


Submitted by: covener
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1677186 13f79535-47bb-0310-9956-ffa450edef68

Add support for extracting subjectAltName entries of type
rfc822Name and dNSName into SSL_{CLIENT,SERVER}_SAN_{Email,DNS}_n
variables.

* docs/manual/mod/mod_ssl.xml: add SSL_*_SAN_*_n entries to the
  environment variables table

* modules/ssl/ssl_engine_kernel.c: in ssl_hook_Fixup, add extraction
  of subjectAltName entries for the "StdEnvVars" case

* modules/ssl/ssl_engine_vars.c: add support for retrieving the
  SSL_{CLIENT,SERVER}_SAN_{Email,DNS}_n variables, either with
  individual on-demand lookup (ssl_var_lookup_ssl_cert_san),
  or with full-list extraction to the environment ("StdEnvVars")

* modules/ssl/ssl_private.h: add modssl_var_extract_san_entries prototype

* modules/ssl/ssl_util_ssl.c: implement SSL_X509_getSAN and
  SSL_ASN1_STRING_to_utf8 helper functions, with factoring out common
  code from SSL_X509_getIDs and SSL_X509_NAME_ENTRY_to_string where
  suitable. Limit SSL_X509_getSAN to the two most common subjectAltName
  entry types appearing in user or server certificates (i.e., rfc822Name
  and dNSName), for the time being.

* modules/ssl/ssl_util_ssl.h: add SSL_ASN1_STRING_to_utf8
  and SSL_X509_getSAN prototypes


Proposed by: kbrand
Reviewed by: ylavic, druggeri


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1676087 13f79535-47bb-0310-9956-ffa450edef68

mpm_event: Allow for timer events duplicates. 
Meanwhile ap[r]_skiplist_add()...


mpm_event: follow up to r1666468.
We only need one compare function for add semantic with apr_skiplist_insert()
and unique timers (pointers). It also should work with apr_skiplist_remove()
and apr_skiplist_find(), be they used some day.


mpm_event: follow up to r1666468 and r1666618.
We don't need to return 0 in the compare function, but for debugging purpose
which we could implement later if necessary (in a separate function).
For now, keep the function simple as in 2.4.x to ease backport, and add a
comment about why we never return 0 here.

Submitted by: ylavic
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1674921 13f79535-47bb-0310-9956-ffa450edef68

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1674670 13f79535-47bb-0310-9956-ffa450edef68

move CHANGES entries to correct version.

Use "mod_ssl" instead of "ssl".


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1674667 13f79535-47bb-0310-9956-ffa450edef68

mod_proxy_wstunnel: Bypass the handler while the connection is not
upgraded to WebSocket, so that other modules can possibly take over
the leading HTTP requests.

Submitted by: ylavic
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1674661 13f79535-47bb-0310-9956-ffa450edef68

* Fix If-Match handling:
  - We need to fail if we do NOT match.
  - ETag comparison only makes sense if we have an ETag

PR: 57358
Submitted by: Kunihiko Sakamoto <ksakamoto google.com>
Reviewed by: rpluem

Submitted by: rpluem
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1674658 13f79535-47bb-0310-9956-ffa450edef68

Add a warning if protocol given in SSLProtocol  or SSLProxyProtocol will override other parameters given in the same directive.
This could be a missing + or - prefix.

PR 52820

Tweak log message

Add CHANGES entry before backport proposal

Follow-up to r1520445:

Tweak error message for clarity

Submitted by: jailletc36, trawick
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1674655 13f79535-47bb-0310-9956-ffa450edef68

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1674048 13f79535-47bb-0310-9956-ffa450edef68

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1673942 13f79535-47bb-0310-9956-ffa450edef68

* Use the correct server name for SNI in case the backend SSL connection itself
  is established via a proxy server.

PR: 57139
Submitted by: Szabolcs Gyurko <szabolcs gyurko.org>



git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1673941 13f79535-47bb-0310-9956-ffa450edef68

ssl_util: Fix possible crash (free => OPENSSL_free) and error path leaks when
checking the server certificate constraints (SSL_X509_getBC()).



git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1673940 13f79535-47bb-0310-9956-ffa450edef68

    PR 57379: If mod_cgi and mod_cgid get installed,
    use IfModule for MPM to LoadModule mod_cgi for
    prefork and mod_cgid for all other MPMs.

    Previously when combined with --enable-load-all-modules
    both modules were loaded and it was undefined
    which one actually handled cgi requests.

    Based on a patch by olli hauer <ohauer gmx.de>.


    Addition to r1652955: Use "=" in combination
    with "test" instead of "==".


    Fix indentation and tab use after r1652955.


Submitted By: olli hauer <ohauer gmx.de> 
Reviewed By: rjung, ylavic, covener


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1673909 13f79535-47bb-0310-9956-ffa450edef68

allow time to first byte (of response headers)
to be logged by mod_logio.  

mod_logio was just a conveninent place to do this 
w/o writing a new filter or complicating an existing 
important one.



Use 'unsigned int' in bitfield


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1673904 13f79535-47bb-0310-9956-ffa450edef68

 
  *) mod_proxy_wstunnel: Avoid an empty response by failing with 502 (Bad
     Gateway) when no response is ever received from the backend.

Submitted By: jkaluza
Reviewde By: covener, ylavic, trawick




git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1673902 13f79535-47bb-0310-9956-ffa450edef68

mod_ssl: Protect ENGINE_CTRL_CHIL_SET_FORKCHECK macro with a 
featue check for libressl.

Submitted by: Stuart Henderson <sthen openbsd.org>
Reviewed by: covener, trawick, ylavic


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1673900 13f79535-47bb-0310-9956-ffa450edef68

backends not recycling connections (disablereuse), including the default
reverse and forward proxies.

Submitted by: ylavic (and trawick for an old helper function)
Reviewed by: rjung, covener


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1673896 13f79535-47bb-0310-9956-ffa450edef68

mod_buffer: Forward flushed input data immediately and avoid (unlikely)
access to freed memory.

Submitted by: ylavic, jailletc36
Reviewed by: covener, rjung


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1673871 13f79535-47bb-0310-9956-ffa450edef68

core: Add CGIPassAuth directive to control whether HTTP authorization
headers are passed to scripts as CGI variables.

PR: 56855
Reviewed by: rjung, ylavic


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1673860 13f79535-47bb-0310-9956-ffa450edef68

Credit to guy who rediscovered, fixed, committed & merged: 100%


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1671786 13f79535-47bb-0310-9956-ffa450edef68

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1671417 13f79535-47bb-0310-9956-ffa450edef68

core_filters: restore/disable TCP_NOPUSH option after non-blocking sendfile.

CHANGES: follow up to r1669289.
Submitted by: ylavic
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1670328 13f79535-47bb-0310-9956-ffa450edef68