mod_remoteip: Use r->useragent_addr as the root trusted address for verifying.

This fixes issue resulting in setting of bad useragent_ip when internal
redirection has been generated as response to the request (typically as
result of "ErrorDocument 40x").

In this case, the original request has been handled by mod_remoteip and its
useragent_ip has been changed properly, but when internal redirection
to ErrorDocument has been generated later, the mod_remoteip's handler has been
executed again with *the same* c->client_addr as in the original request. If
c->client_addr IP is trusted, this results in bad useragent_ip being set.

When using r->useragent_addr as the root trusted address instead of
c->client_addr, the internal redirection uses the first non-trusted
IP in this particular case, so it won't change the r->useragent_ip during
the internal redirection to ErrorDocument.

Submitted by: jkaluza
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1767483 13f79535-47bb-0310-9956-ffa450edef68

Submitted by: covener
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1767482 13f79535-47bb-0310-9956-ffa450edef68

mod_http2: v1.7.7, connection shutdown revisited, AP_DEBUG_ASSERT transformed to real asserts


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1766856 13f79535-47bb-0310-9956-ffa450edef68

mod_proxy_{http,ajp,fcgi}: don't reuse backend connections with data
     available before the request is sent.  PR 57832.



git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1766372 13f79535-47bb-0310-9956-ffa450edef68

mod_http2/mod_proxy_http2: 100-continue implementation, PING checks on aged backend connections


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1765327 13f79535-47bb-0310-9956-ffa450edef68

mod_proxy_http2: renaming duplicate symbol clash between h2_proxy_util and h2_util externals



git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1764238 13f79535-47bb-0310-9956-ffa450edef68

mod_http2: rewrite of how responses and trailers are transferred between
     master and slave connection. Reduction of internal states for tasks
     and streams, stability. Heuristic id generation for slave connections
     to better keep promise of connection ids unique at given point int time.
     Fix for mod_cgid interop in high load situtations. 
     Fix for handling of incoming trailers when no request body is sent.



git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1763163 13f79535-47bb-0310-9956-ffa450edef68

mod_http2: fix for output blocking race condition



git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1761478 13f79535-47bb-0310-9956-ffa450edef68

mpm_winnt: remove 'data' AcceptFilter in favor of 'connect'

The 'data' AcceptFilter optimization instructs Windows to wait until
data is received on a connection before completing the AcceptEx
operation. Unfortunately, it seems this isn't performed atomically --
AcceptEx "partially" accepts the incoming connection during the wait for
data, leaving all other incoming connections in the accept queue. This
opens the server to a denial of service.

Since the fix for this requires a substantial rearchitecture (likely
involving multiple outstanding calls to AcceptEx), disable the 'data'
filter for now and replace it with 'connect', which uses the AcceptEx
interface but does not wait for data.

Users running prior releases of httpd on Windows should explicitly move
to a 'connect' AcceptFilter in their configurations if they are
currently using the default 'data' filter.

Many thanks to mludha, Arthur Ramsey, Paul Spangler, and many others for
their assistance in tracking down and diagnosing this issue.

PR: 59970

mpm_winnt: remove the AcceptEx data network bucket

Follow-up to the prior commit: without an incoming data buffer, the
custom network bucket code is now orphaned and we can remove it
entirely. This has the added benefit that we are no longer using the
internal OVERLAPPED.Pointer field, which is discouraged by the MSDN
docs.

mpm_winnt: remove duplication of ap_process_connection

Further follow-up to the previous commit: now that we no longer patch a
network bucket into the brigade, we can revert to calling
ap_process_connection() directly instead of duplicating its logic.

docs: rebuild
Submitted by: jchampion
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1759471 13f79535-47bb-0310-9956-ffa450edef68

mod_cgid: Resolve a case where a short CGI response causes a subsequent
     CGI to be killed prematurely, resulting in a truncated subsequent
     response. 


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1758798 13f79535-47bb-0310-9956-ffa450edef68

* Add missing copy of hcuri and hcexpr ftom the worker to the health check worker.

PR: 60038
Submitted by: zdeno <zdeno@scnet.sk>

Submitted by: rpluem
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1758373 13f79535-47bb-0310-9956-ffa450edef68

mod_http2: fixed bug in stream shutdown, support for nghttp2 invalid header callback from 1.14.0 and onwards.



git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1758011 13f79535-47bb-0310-9956-ffa450edef68

mod_reqtimeout: Fix body timeout disabling for CONNECT requests to avoid
triggering mod_proxy_connect's AH01018 once the tunnel is established.
https://bugzilla.mozilla.org/show_bug.cgi?id=1279483#c9



mod_reqtimeout: follow up to r1754391: fix missing "else".
Submitted by: ylavic
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1757675 13f79535-47bb-0310-9956-ffa450edef68

ab: add SNI support when available.

ab: follow up to r1750854: put the -I at the right place for apr_getopt().

ab: follow up to r1750854.
Use SNI when available by default, and invert -I logic to now disable it.

ab: follow up to r1750854: some comments and better naming.

ab: follow up to r1750854: still better naming, and a C89 fix.
Submitted by: ylavic
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1757674 13f79535-47bb-0310-9956-ffa450edef68

mod_proxy_fcgi: avoid loops serving proxied error documents

This commit should solve the issue indicated in PR 55415.
Httpd loops while serving a error document if:
1) The error document's content is proxied.
2) ProxyErrorOverride is set.
The solution proposed is to limit the use of ap_die only
to the initial request. I tested the change with very basic
scenarios but I am not sure if I got all the use cases,
feedback is really welcome.


Submitted by: elukey
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1757671 13f79535-47bb-0310-9956-ffa450edef68

Force mod_proxy_fcgi to read the whole FCGI response 
even when the content has not been modified (HTTP 304).

The problem is described in PR 59838. This patch should 
avoid bogus reads causing the following issues with
HTTP 304 responses:
- AH01068: Got bogus version X, expected 1
- AH01069: Got bogus rid X, expected 1
- AH01075: Error dispatching request to :
- HTTP 503 logged instead of 304 (even if the external 
  client gets correctly a 304)

As discussed on IRC the HTTP_PRECONDITION_FAILED use case
should be handled like the HTTP_NOT_MODIFIED one but it will
be done in a separate commit.


Submitted by: elukey
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1757670 13f79535-47bb-0310-9956-ffa450edef68

Fix spelling in comments and text files.
No functional change.
PR 59990

Submitted by: rjung
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1757669 13f79535-47bb-0310-9956-ffa450edef68

merge of 1752145,1753498,1753541,1754129,1754414,1754534,1755323,1756844,1757524,1757534,1757540 from trunk

mod_http2: backport of latest changes
 - intermediate responses
 - graceful shutdown of connections
 - ht debug draft update



git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1757542 13f79535-47bb-0310-9956-ffa450edef68

* Prevent redirect loops between workers within a balancer by limiting the
  number of redirects to the number balancer members.

PR: 59864

Submitted by: rpluem
Reviewed by: rpluem, jim, ylavic


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1756563 13f79535-47bb-0310-9956-ffa450edef68

* Do not overwrite r->status with access_status if access_status is OK or DONE
  as in this case r->status might contain the true response code.

PR: 59869

Submitted by: rpluem
Reviewed by: rpluem, jim, ylavic


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1756562 13f79535-47bb-0310-9956-ffa450edef68

mod_dav: Add dav_begin_multistatus, dav_send_one_response,
dav_finish_multistatus, dav_send_multistatus, dav_handle_err, 
dav_failed_proppatch, dav_success_proppatch to mod_dav.h.

Submitted by: minfrin
Reviewed by: minfrin, jim, ylavic


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1756561 13f79535-47bb-0310-9956-ffa450edef68

mod_dav: Add support for childtags to dav_error.

Submitted by: minfrin
Reviewed by: minfrin, jim, ylavic


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1756560 13f79535-47bb-0310-9956-ffa450edef68

httpoxy workarounds, first draft patch as published for all 2.2.x+ sources

Optimization to httpoxy workaround, for 2.4.23+ only.

Submitted by: Dominic Scheirlinck <dominic vendhq.com>, ylavic
Reviewed/backported by: wrowe, jim, ylavic


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1756559 13f79535-47bb-0310-9956-ffa450edef68

PR59815: rewrite per-directory + fcgi broken in 2.4.23

remove the query string from r->filename before calculating environment
(SCRIPT_FILENAME) in mod_proxy_fcgi.  Before PR59618, php-fpm would
see proxy:fcgi:// and do some of this same stripping.




Submitted by: covener
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1755077 13f79535-47bb-0310-9956-ffa450edef68

PR59844: stack-allocated ap_expr_info_t returned from mod_include




git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1753782 13f79535-47bb-0310-9956-ffa450edef68

mod_http2: removed timeouts on master connection while reuqest are being processsed
mod_http2: new H2CopyFiles directive



git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1753542 13f79535-47bb-0310-9956-ffa450edef68

mod_http2: fixes flush handling for SETTINGS when no streams are open



git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1752095 13f79535-47bb-0310-9956-ffa450edef68

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1750841 13f79535-47bb-0310-9956-ffa450edef68

modssl: reset client-verify state when renegotiation is aborted
Submitted by: icing
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1750808 13f79535-47bb-0310-9956-ffa450edef68

Fix 'x' command processing in mod_sed.

This has been tested using a slighly modified example taken from:
    https://blogs.oracle.com/basant/entry/using_mod_sed_to_filter
(OutputSed "s/.\*//"             has been changed in                OutputSed "s/.*//")

OutputSed "/Sunday/ {"
OutputSed "h"
OutputSed "s/.*//"
OutputSed "N"
OutputSed "s/\^.//"
OutputSed     "/Monday/ {"
OutputSed         "x"
OutputSed         "s/Sunday/Monday/"
OutputSed         "x"
OutputSed         "s/Monday/Tuesday/"
OutputSed         "H"
OutputSed         "g"
OutputSed     "}"
OutputSed "}"

Add CHANGES entry for r1749401
Submitted by: jailletc36
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1750481 13f79535-47bb-0310-9956-ffa450edef68

of only 'few' or 'none' as fatal, but continue the ./configure

Submitted by: trawick
Backports: r1396440 [only the acinclude.m4, config5.m4 change was N/A]
Reviewed by: wrowe, rpluem, ylavic



git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1750254 13f79535-47bb-0310-9956-ffa450edef68

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1749792 13f79535-47bb-0310-9956-ffa450edef68

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1749775 13f79535-47bb-0310-9956-ffa450edef68

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1749336 13f79535-47bb-0310-9956-ffa450edef68

Merge r1749151 from trunk:

mod_http2: fix for request abort when connections drops, introduced in 1.5.8
Submitted by: icing
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1749331 13f79535-47bb-0310-9956-ffa450edef68

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1748762 13f79535-47bb-0310-9956-ffa450edef68

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1748647 13f79535-47bb-0310-9956-ffa450edef68

mod_http2: more rigid error handling in DATA frame assembly



git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1748536 13f79535-47bb-0310-9956-ffa450edef68

failures under Visual Studio 2015 and other mismatched MSVCRT flavors.

PR: 59630
Submitted by: Jan Ehrhardt <phpdev ehrhardt.nl>



git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1748449 13f79535-47bb-0310-9956-ffa450edef68

to opt-in previous behaviour (2.2) with CRLs verification when checking
certificate(s) with no corresponding CRL.

Submitted by: ylavic
Reviewed by: icing, minfrin


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1748338 13f79535-47bb-0310-9956-ffa450edef68