Skip to content
GitLab
  1. 20 Nov, 2015 1 commit
  3. 18 Nov, 2015 1 commit
    • Jim Jagielski's avatar
      Merge r1705194, r1705823, r1705826, r1705828, r1705833, r1706275, r1707230, r1707231 from trunk: · b8885db0
      Jim Jagielski authored 
      mod_ssl: forward EOR (only) brigades to the core_output_filter().

mod_ssl: don't FLUSH output (blocking) on read.
This defeats deferred write (and pipelining), eg. check_pipeline() is not
expecting the pipe to be flushed under it.
So let OpenSSL >= 0.9.8m issue the flush when necessary (earlier versions
are known to not handle all the cases, so we keep flushing with those).


mod_ssl: follow up to r1705823.
Oups, every #if needs a #endif...

mod_ssl: pass through metadata buckets untouched in ssl_io_filter_output(),
the core output filter needs them.

Proposed by: jorton


mod_ssl: follow up to r1705194, r1705823, r1705826 and r1705828.
Add CHANGES entry, and restore ap_process_request_after_handler()'s comment
as prior to r1705194 (the change makes no sense now).


mod_ssl: follow up to r1705823.
We still need to flush in the middle of a SSL/TLS handshake.


mod_ssl: follow up to r1705823.
Flush SSL/TLS handshake data when writing (instead of before reading),
and only when necessary (openssl < 0.9.8m or proxy/client side).


mod_ssl: follow up to r1707230: fix (inverted) logic for SSL_in_connect_init().

Submitted by: ylavic
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1715014 13f79535-47bb-0310-9956-ffa450edef68
      b8885db0
  5. 03 Nov, 2015 3 commits
  7. 25 Oct, 2015 1 commit
  9. 09 Oct, 2015 2 commits
  11. 08 Oct, 2015 1 commit
    • Yann Ylavic's avatar
      r1678763 | ylavic | 2015-05-11 16:53:34 +0200 (Mon, 11 May 2015) | 7 lines · 91f55435
      Yann Ylavic authored 
      mod_proxy: only cleanup the socket for a connection asked to be closed but
whose address can still be reused.

This saves unnecessary socket pool destroy and creation at cleanup and reuse
time, plus the same initialization of conn->pool's associated data which can
be reused in that case.


r1703807 | ylavic | 2015-09-18 12:58:58 +0200 (Fri, 18 Sep 2015) | 5 lines

mod_proxy: don't recyle backend announced "Connection: close" connections.
Failing to do this may lead to a race condition where we send a new request
before the backend really closes the connection (or lost SSL-Alert/FIN make
us think the connection is still alive, until the retransmission).


r1703813 | ylavic | 2015-09-18 13:48:31 +0200 (Fri, 18 Sep 2015) | 1 line

mod_proxy: follow up to r1703807: CHANGES entry.


Submitted by: ylavic
Committed by: ylavic
Reviewed  by: ylavic, rjung, trawick


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1707556 13f79535-47bb-0310-9956-ffa450edef68
      91f55435
  13. 06 Oct, 2015 1 commit
    • Jim Jagielski's avatar
      Merge r1684900, r1687539, r1687680, r1688331, r1688339, r1688340, r1688341,... · af2c42fb
      Jim Jagielski authored 
      Merge r1684900, r1687539, r1687680, r1688331, r1688339, r1688340, r1688341, r1688343, r1697013, r1697015 from trunk:

mod_substitute: Fix configuraton merge order.
PR 57641 [Marc.Stern]


mod_substitute: follow up r1684900.
Introduce the SubstituteInheritBefore directive to configure the merge order.
This allows to preserve 2.4 and earlier behaviour.


mod_substitute: follow up to r1687539.
Use tristate single inherit_before variable instead of two, according to
wrowe's advices.


mod_substitute: follow up to r1687680.
Fix dir config merger 'over'-write, thanks Bill (again).

Very difficult to read, and therefore was wrong.

Assert that the SubstituteInheritBefore option was explicitly toggled,
and do not default in 2.x to this legacy behavior.



Optimize in all cases that the members are all explicitly initialized.

Useful for 2.2 and 2.4, but trunk will require the subsequent patch.




Increase legibility of the max_line_length behavior, and adjust for
the requirement that all members are initialized explicitly due to
the previous patch.



Net -8 LoC, my usual specialty.

This didn't need to be reinvented; please use established helpers.



mod_substitute: follow up r1688339.
SubstituteInheritBefore is the default in 2.5.x but wasn't for ealier versions.


mod_substitute: follow up r1697013.
Update the doc.
Submitted by: niq, ylavic, ylavic, ylavic, wrowe, wrowe, wrowe, wrowe, ylavic, ylavic
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1707039 13f79535-47bb-0310-9956-ffa450edef68
      af2c42fb
  15. 30 Sep, 2015 4 commits
    • Jim Jagielski's avatar
      Merge r1703902 from trunk: · dbda2446
      Jim Jagielski authored 
      mod_proxy: Fix ProxySourceAddress binding failure with AH00938.  PR 56687.
Proposed by: Arne de Bruijn <apache arbruijn.dds.nl>
Reviewed by: ylavic

Submitted by: ylavic
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1706028 13f79535-47bb-0310-9956-ffa450edef68
      dbda2446
    • asf-sync-process's avatar
      merge r1703952 from trunk · 6278188c
      asf-sync-process authored 
      Support compilation against libssl built with OPENSSL_NO_SSL3,
and change the compiled-in default for SSL[Proxy]Protocol to "all -SSLv3",
in accordance with RFC 7568. PR 58349, PR 57120.

Proposed by: kbrand
Reviewed by: ylavic, jorton


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1706008 13f79535-47bb-0310-9956-ffa450edef68
      6278188c
    • Kaspar Brand's avatar
      merge r1702643 from trunk · 213c5b06
      Kaspar Brand authored 
      Append :!aNULL:!eNULL:!EXP to the cipher string settings,
instead of prepending !aNULL:!eNULL:!EXP: (as was the case in 2.4.7
and later). Enables support for configuring the SUITEB* cipher
strings introduced in OpenSSL 1.0.2. PR 58213.

Apply the same treatment to the "SSLOpenSSLConfCmd CipherString ..." directive.

Proposed by: kbrand
Reviewed by: ylavic, jorton


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1706007 13f79535-47bb-0310-9956-ffa450edef68
      213c5b06
    • Kaspar Brand's avatar
      merge r1693792 from trunk · c41d0340
      Kaspar Brand authored 
      Add support for extracting the msUPN and dnsSRV forms
of subjectAltName entries of type "otherName" into
SSL_{CLIENT,SERVER}_SAN_OTHER_{msUPN,dnsSRV}_n environment
variables. Addresses PR 58020.

* docs/manual/mod/mod_ssl.xml: add SSL_*_SAN_OTHER_*_n entries to the
  environment variables table

* modules/ssl/ssl_engine_vars.c: add support for retrieving the
  SSL_{CLIENT,SERVER}_SAN_OTHER_{msUPN,dnsSRV}_n variables

* modules/ssl/ssl_util_ssl.c: add parse_otherName_value, which
  currently recognizes the "msUPN" (1.3.6.1.4.1.311.20.2.3) and
  "id-on-dnsSRV" (1.3.6.1.5.5.7.8.7) otherName forms, and
  adapt modssl_X509_getSAN to take an optional otherName form
  argument for the GEN_OTHERNAME case

* modules/ssl/ssl_util_ssl.h: adapt modssl_X509_getSAN prototype

* modules/ssl/mod_ssl.c: register the id-on-dnsSRV otherName form
  OID (1.3.6.1.5.5.7.8.7) in OpenSSL's objects table

Proposed by: kbrand
Reviewed by: ylavic, jorton


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1706006 13f79535-47bb-0310-9956-ffa450edef68
      c41d0340
  17. 28 Sep, 2015 1 commit
  19. 27 Sep, 2015 1 commit
  21. 26 Sep, 2015 3 commits
  23. 23 Sep, 2015 1 commit
    • Jim Jagielski's avatar
      Merge r1664709, r1697323 from trunk: · 243d5eab
      Jim Jagielski authored 
       * Do not reset the retry timeout if the worker is in error at this stage even
   if the connection to the backend was successful. It was likely set into
   error by a different thread / process in parallel e.g. for a timeout or
   bad status. We should respect this and should not continue with a connection
   via this worker even if we got one.


* Do a more complete cleanup here. At this point we cannot end up with something useful with the data we created so far.
Submitted by: rpluem
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1704835 13f79535-47bb-0310-9956-ffa450edef68
      243d5eab
  25. 16 Sep, 2015 1 commit
  27. 08 Sep, 2015 1 commit
    • Jim Jagielski's avatar
      Merge r1696105, r1700418 from trunk: · b7f7b509
      Jim Jagielski authored 
      With the current implementation, it is likely to connect/close a socket with the memcache server for each command sent.
The root cause is a too small idle timeout (600 microseconds).

Add a new directive, 'MemcacheConnTTL',  to control this idle connection timeout with the memcache server(s).
Change the default value from 600 usec (!) to 15 sec as per Yann suggestion.

I've limited accepted values from 1 to 1800 seconds (half an hour) because internaly, the value passed to 'apr_memcache_server_create' is still in mirco-seconds.

PR 58091
~~~~~~~~~~~~~~~~~~~_
Homemade measurement (on a slighly modified version of httpd) shows a +30% in number of processed requests using memcache to cache /index.html.
Comparison made between the 600 usec and 15 sec TTL.

Memcache config:
    default
httpd Config:
    CacheEnable socache /
    CacheSocache memcache:127.0.0.1
    LoadModule mpm_event_module modules/mod_mpm_event.so
httpd compiled with:
    ./configure --enable-mpms-shared=all --with-included-apr --with-mysql --with-libxml2 --enable-modules=reallyall --enable-ssl-ct=no --enable-maintainer-mode --prefix=$HOME/httpd-2.5
httpd and memcache running on the same VM running under Ubuntu 15.04
Load tested using:
    ab -n 20000 http://127.0.0.1/index.html

Creation/closing of connections beetween httpd and memcache confirmed using the telnet connection to memcache and the stats command



Allow 0 as a valid value (never close idle connections)
Increased maximum allowed value to 3600 s (1 hour)
Use 'ap_timeout_parameter_parse' to allow more flexible configuration (i.e. h, min, s, ms suffixes)
Use 'apr_time_from_sec' when applicable.
Submitted by: jailletc36
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1701771 13f79535-47bb-0310-9956-ffa450edef68
      b7f7b509
  29. 07 Sep, 2015 1 commit
  31. 06 Sep, 2015 1 commit
  33. 05 Sep, 2015 3 commits
  35. 28 Aug, 2015 1 commit
  37. 29 Jul, 2015 1 commit
  39. 10 Jul, 2015 1 commit
  41. 09 Jul, 2015 1 commit
  43. 08 Jul, 2015 4 commits
  45. 03 Jul, 2015 1 commit
  47. 19 Jun, 2015 1 commit
  49. 18 Jun, 2015 3 commits