Toshaan Bharvani
6 months ago
commit
f6f9a1666a
81 changed files with 9259 additions and 0 deletions
@ -0,0 +1,68 @@ |
|||||||
|
# |
||||||
|
# This file loads most of the modules included with the Apache HTTP |
||||||
|
# Server itself. |
||||||
|
# |
||||||
|
|
||||||
|
LoadModule access_compat_module modules/mod_access_compat.so |
||||||
|
LoadModule actions_module modules/mod_actions.so |
||||||
|
LoadModule alias_module modules/mod_alias.so |
||||||
|
LoadModule allowmethods_module modules/mod_allowmethods.so |
||||||
|
LoadModule auth_basic_module modules/mod_auth_basic.so |
||||||
|
LoadModule auth_digest_module modules/mod_auth_digest.so |
||||||
|
LoadModule authn_anon_module modules/mod_authn_anon.so |
||||||
|
LoadModule authn_core_module modules/mod_authn_core.so |
||||||
|
LoadModule authn_dbd_module modules/mod_authn_dbd.so |
||||||
|
LoadModule authn_dbm_module modules/mod_authn_dbm.so |
||||||
|
LoadModule authn_file_module modules/mod_authn_file.so |
||||||
|
LoadModule authn_socache_module modules/mod_authn_socache.so |
||||||
|
LoadModule authz_core_module modules/mod_authz_core.so |
||||||
|
LoadModule authz_dbd_module modules/mod_authz_dbd.so |
||||||
|
LoadModule authz_dbm_module modules/mod_authz_dbm.so |
||||||
|
LoadModule authz_groupfile_module modules/mod_authz_groupfile.so |
||||||
|
LoadModule authz_host_module modules/mod_authz_host.so |
||||||
|
LoadModule authz_owner_module modules/mod_authz_owner.so |
||||||
|
LoadModule authz_user_module modules/mod_authz_user.so |
||||||
|
LoadModule autoindex_module modules/mod_autoindex.so |
||||||
|
LoadModule cache_module modules/mod_cache.so |
||||||
|
LoadModule cache_disk_module modules/mod_cache_disk.so |
||||||
|
LoadModule cache_socache_module modules/mod_cache_socache.so |
||||||
|
LoadModule data_module modules/mod_data.so |
||||||
|
LoadModule dbd_module modules/mod_dbd.so |
||||||
|
LoadModule deflate_module modules/mod_deflate.so |
||||||
|
LoadModule dir_module modules/mod_dir.so |
||||||
|
LoadModule dumpio_module modules/mod_dumpio.so |
||||||
|
LoadModule echo_module modules/mod_echo.so |
||||||
|
LoadModule env_module modules/mod_env.so |
||||||
|
LoadModule expires_module modules/mod_expires.so |
||||||
|
LoadModule ext_filter_module modules/mod_ext_filter.so |
||||||
|
LoadModule filter_module modules/mod_filter.so |
||||||
|
LoadModule headers_module modules/mod_headers.so |
||||||
|
LoadModule include_module modules/mod_include.so |
||||||
|
LoadModule info_module modules/mod_info.so |
||||||
|
LoadModule log_config_module modules/mod_log_config.so |
||||||
|
LoadModule logio_module modules/mod_logio.so |
||||||
|
LoadModule macro_module modules/mod_macro.so |
||||||
|
LoadModule mime_magic_module modules/mod_mime_magic.so |
||||||
|
LoadModule mime_module modules/mod_mime.so |
||||||
|
LoadModule negotiation_module modules/mod_negotiation.so |
||||||
|
LoadModule remoteip_module modules/mod_remoteip.so |
||||||
|
LoadModule reqtimeout_module modules/mod_reqtimeout.so |
||||||
|
LoadModule request_module modules/mod_request.so |
||||||
|
LoadModule rewrite_module modules/mod_rewrite.so |
||||||
|
LoadModule setenvif_module modules/mod_setenvif.so |
||||||
|
LoadModule slotmem_plain_module modules/mod_slotmem_plain.so |
||||||
|
LoadModule slotmem_shm_module modules/mod_slotmem_shm.so |
||||||
|
LoadModule socache_dbm_module modules/mod_socache_dbm.so |
||||||
|
LoadModule socache_memcache_module modules/mod_socache_memcache.so |
||||||
|
LoadModule socache_redis_module modules/mod_socache_redis.so |
||||||
|
LoadModule socache_shmcb_module modules/mod_socache_shmcb.so |
||||||
|
LoadModule status_module modules/mod_status.so |
||||||
|
LoadModule substitute_module modules/mod_substitute.so |
||||||
|
LoadModule suexec_module modules/mod_suexec.so |
||||||
|
LoadModule unique_id_module modules/mod_unique_id.so |
||||||
|
LoadModule unixd_module modules/mod_unixd.so |
||||||
|
LoadModule userdir_module modules/mod_userdir.so |
||||||
|
LoadModule version_module modules/mod_version.so |
||||||
|
LoadModule vhost_alias_module modules/mod_vhost_alias.so |
||||||
|
LoadModule watchdog_module modules/mod_watchdog.so |
||||||
|
|
@ -0,0 +1 @@ |
|||||||
|
LoadModule brotli_module modules/mod_brotli.so |
@ -0,0 +1,3 @@ |
|||||||
|
LoadModule dav_module modules/mod_dav.so |
||||||
|
LoadModule dav_fs_module modules/mod_dav_fs.so |
||||||
|
LoadModule dav_lock_module modules/mod_dav_lock.so |
@ -0,0 +1,23 @@ |
|||||||
|
# Select the MPM module which should be used by uncommenting exactly |
||||||
|
# one of the following LoadModule lines. See the httpd.conf(5) man |
||||||
|
# page for more information on changing the MPM. |
||||||
|
|
||||||
|
# prefork MPM: Implements a non-threaded, pre-forking web server |
||||||
|
# See: http://httpd.apache.org/docs/2.4/mod/prefork.html |
||||||
|
# |
||||||
|
# NOTE: If enabling prefork, the httpd_graceful_shutdown SELinux |
||||||
|
# boolean should be enabled, to allow graceful stop/shutdown. |
||||||
|
# |
||||||
|
#LoadModule mpm_prefork_module modules/mod_mpm_prefork.so |
||||||
|
|
||||||
|
# worker MPM: Multi-Processing Module implementing a hybrid |
||||||
|
# multi-threaded multi-process web server |
||||||
|
# See: http://httpd.apache.org/docs/2.4/mod/worker.html |
||||||
|
# |
||||||
|
#LoadModule mpm_worker_module modules/mod_mpm_worker.so |
||||||
|
|
||||||
|
# event MPM: A variant of the worker MPM with the goal of consuming |
||||||
|
# threads only for connections with active processing |
||||||
|
# See: http://httpd.apache.org/docs/2.4/mod/event.html |
||||||
|
# |
||||||
|
#LoadModule mpm_event_module modules/mod_mpm_event.so |
@ -0,0 +1,19 @@ |
|||||||
|
# |
||||||
|
# This file lists modules included with the Apache HTTP Server |
||||||
|
# which are not enabled by default. |
||||||
|
# |
||||||
|
|
||||||
|
#LoadModule asis_module modules/mod_asis.so |
||||||
|
#LoadModule authnz_fcgi_module modules/mod_authnz_fcgi.so |
||||||
|
#LoadModule buffer_module modules/mod_buffer.so |
||||||
|
#LoadModule heartbeat_module modules/mod_heartbeat.so |
||||||
|
#LoadModule heartmonitor_module modules/mod_heartmonitor.so |
||||||
|
#LoadModule usertrack_module modules/mod_usertrack.so |
||||||
|
#LoadModule dialup_module modules/mod_dialup.so |
||||||
|
#LoadModule charset_lite_module modules/mod_charset_lite.so |
||||||
|
#LoadModule log_debug_module modules/mod_log_debug.so |
||||||
|
#LoadModule log_forensic_module modules/mod_log_forensic.so |
||||||
|
#LoadModule ratelimit_module modules/mod_ratelimit.so |
||||||
|
#LoadModule reflector_module modules/mod_reflector.so |
||||||
|
#LoadModule sed_module modules/mod_sed.so |
||||||
|
#LoadModule speling_module modules/mod_speling.so |
@ -0,0 +1,18 @@ |
|||||||
|
# This file configures all the proxy modules: |
||||||
|
LoadModule proxy_module modules/mod_proxy.so |
||||||
|
LoadModule lbmethod_bybusyness_module modules/mod_lbmethod_bybusyness.so |
||||||
|
LoadModule lbmethod_byrequests_module modules/mod_lbmethod_byrequests.so |
||||||
|
LoadModule lbmethod_bytraffic_module modules/mod_lbmethod_bytraffic.so |
||||||
|
LoadModule lbmethod_heartbeat_module modules/mod_lbmethod_heartbeat.so |
||||||
|
LoadModule proxy_ajp_module modules/mod_proxy_ajp.so |
||||||
|
LoadModule proxy_balancer_module modules/mod_proxy_balancer.so |
||||||
|
LoadModule proxy_connect_module modules/mod_proxy_connect.so |
||||||
|
LoadModule proxy_express_module modules/mod_proxy_express.so |
||||||
|
LoadModule proxy_fcgi_module modules/mod_proxy_fcgi.so |
||||||
|
LoadModule proxy_fdpass_module modules/mod_proxy_fdpass.so |
||||||
|
LoadModule proxy_ftp_module modules/mod_proxy_ftp.so |
||||||
|
LoadModule proxy_http_module modules/mod_proxy_http.so |
||||||
|
LoadModule proxy_hcheck_module modules/mod_proxy_hcheck.so |
||||||
|
LoadModule proxy_scgi_module modules/mod_proxy_scgi.so |
||||||
|
LoadModule proxy_uwsgi_module modules/mod_proxy_uwsgi.so |
||||||
|
LoadModule proxy_wstunnel_module modules/mod_proxy_wstunnel.so |
@ -0,0 +1,3 @@ |
|||||||
|
# This file configures mod_proxy_html and mod_xml2enc: |
||||||
|
LoadModule xml2enc_module modules/mod_xml2enc.so |
||||||
|
LoadModule proxy_html_module modules/mod_proxy_html.so |
@ -0,0 +1,2 @@ |
|||||||
|
# This file configures systemd module: |
||||||
|
LoadModule systemd_module modules/mod_systemd.so |
@ -0,0 +1,11 @@ |
|||||||
|
# This configuration file loads a CGI module appropriate to the MPM |
||||||
|
# which has been configured in 00-mpm.conf. mod_cgid should be used |
||||||
|
# with a threaded MPM; mod_cgi with the prefork MPM. |
||||||
|
|
||||||
|
<IfModule !mpm_prefork_module> |
||||||
|
LoadModule cgid_module modules/mod_cgid.so |
||||||
|
</IfModule> |
||||||
|
<IfModule mpm_prefork_module> |
||||||
|
LoadModule cgi_module modules/mod_cgi.so |
||||||
|
</IfModule> |
||||||
|
|
@ -0,0 +1,3 @@ |
|||||||
|
# This file configures the LDAP modules: |
||||||
|
LoadModule ldap_module modules/mod_ldap.so |
||||||
|
LoadModule authnz_ldap_module modules/mod_authnz_ldap.so |
@ -0,0 +1,6 @@ |
|||||||
|
LoadModule session_module modules/mod_session.so |
||||||
|
LoadModule session_cookie_module modules/mod_session_cookie.so |
||||||
|
LoadModule session_dbd_module modules/mod_session_dbd.so |
||||||
|
LoadModule auth_form_module modules/mod_auth_form.so |
||||||
|
|
||||||
|
#LoadModule session_crypto_module modules/mod_session_crypto.so |
@ -0,0 +1,5 @@ |
|||||||
|
# This file is part of mod_ssl. It enables listening on port 443 when |
||||||
|
# socket activation is used. |
||||||
|
|
||||||
|
[Socket] |
||||||
|
ListenStream=443 |
@ -0,0 +1,9 @@ |
|||||||
|
|
||||||
|
This directory holds configuration files for the Apache HTTP Server; |
||||||
|
any files in this directory which have the ".conf" extension will be |
||||||
|
processed as httpd configuration files. The directory is used in |
||||||
|
addition to the directory /etc/httpd/conf.modules.d/, which contains |
||||||
|
configuration files necessary to load modules. |
||||||
|
|
||||||
|
Files are processed in sorted order. See httpd.conf(5) for more |
||||||
|
information. |
@ -0,0 +1,10 @@ |
|||||||
|
|
||||||
|
This directory holds configuration files for the Apache HTTP Server; |
||||||
|
any files in this directory which have the ".conf" extension will be |
||||||
|
processed as httpd configuration files. This directory contains |
||||||
|
configuration fragments necessary only to load modules. |
||||||
|
Administrators should use the directory "/etc/httpd/conf.d" to modify |
||||||
|
the configuration of httpd, or any modules. |
||||||
|
|
||||||
|
Files are processed in sorted order and should have a two digit |
||||||
|
numeric prefix. See httpd.conf(5) for more information. |
@ -0,0 +1,2 @@ |
|||||||
|
#!/bin/sh |
||||||
|
exec /sbin/apachectl graceful |
After Width: | Height: | Size: 5.6 KiB |
@ -0,0 +1,74 @@ |
|||||||
|
#!/usr/bin/sh |
||||||
|
# |
||||||
|
# Licensed to the Apache Software Foundation (ASF) under one or more |
||||||
|
# contributor license agreements. See the NOTICE file distributed with |
||||||
|
# this work for additional information regarding copyright ownership. |
||||||
|
# The ASF licenses this file to You under the Apache License, Version 2.0 |
||||||
|
# (the "License"); you may not use this file except in compliance with |
||||||
|
# the License. You may obtain a copy of the License at |
||||||
|
# |
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0 |
||||||
|
# |
||||||
|
# Unless required by applicable law or agreed to in writing, software |
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS, |
||||||
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
||||||
|
# See the License for the specific language governing permissions and |
||||||
|
# limitations under the License. |
||||||
|
|
||||||
|
### |
||||||
|
### NOTE: This is a replacement version of the "apachectl" script with |
||||||
|
### some differences in behaviour to the version distributed with |
||||||
|
### Apache httpd. Please read the apachectl(8) man page for more |
||||||
|
### information. |
||||||
|
### |
||||||
|
|
||||||
|
if [ "x$1" = "x-k" ]; then |
||||||
|
shift |
||||||
|
fi |
||||||
|
|
||||||
|
ACMD="$1" |
||||||
|
ARGV="$@" |
||||||
|
SVC='httpd.service' |
||||||
|
HTTPD='@HTTPDBIN@' |
||||||
|
|
||||||
|
if [ "x$2" != "x" ] ; then |
||||||
|
echo Passing arguments to httpd using apachectl is no longer supported. |
||||||
|
echo You can only start/stop/restart httpd using this script. |
||||||
|
echo To pass extra arguments to httpd, see the $SVC'(8)' |
||||||
|
echo man page. |
||||||
|
exit 1 |
||||||
|
fi |
||||||
|
|
||||||
|
case $ACMD in |
||||||
|
start|stop|restart|status) |
||||||
|
/usr/bin/systemctl --no-pager $ACMD $SVC |
||||||
|
ERROR=$? |
||||||
|
;; |
||||||
|
graceful) |
||||||
|
if /usr/bin/systemctl -q is-active $SVC; then |
||||||
|
/usr/bin/systemctl kill --signal=SIGUSR1 --kill-who=main $SVC |
||||||
|
else |
||||||
|
/usr/bin/systemctl start $SVC |
||||||
|
fi |
||||||
|
ERROR=$? |
||||||
|
;; |
||||||
|
graceful-stop) |
||||||
|
/usr/bin/systemctl kill --signal=SIGWINCH --kill-who=main $SVC |
||||||
|
ERROR=$? |
||||||
|
;; |
||||||
|
configtest|-t) |
||||||
|
$HTTPD -t |
||||||
|
ERROR=$? |
||||||
|
;; |
||||||
|
-v|-V) |
||||||
|
$HTTPD $ACMD |
||||||
|
ERROR=$? |
||||||
|
;; |
||||||
|
*) |
||||||
|
echo apachectl: The \"$ACMD\" option is not supported. 1>&2 |
||||||
|
ERROR=2 |
||||||
|
;; |
||||||
|
esac |
||||||
|
|
||||||
|
exit $ERROR |
||||||
|
|
@ -0,0 +1,191 @@ |
|||||||
|
<?xml version='1.0' encoding='UTF-8' ?> |
||||||
|
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN" |
||||||
|
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">[ |
||||||
|
|
||||||
|
]> |
||||||
|
<!-- |
||||||
|
Copyright 2020 Red Hat, Inc. |
||||||
|
|
||||||
|
Licensed to the Apache Software Foundation (ASF) under one or more |
||||||
|
contributor license agreements. See the NOTICE file distributed with |
||||||
|
this work for additional information regarding copyright ownership. |
||||||
|
The ASF licenses this file to You under the Apache License, Version 2.0 |
||||||
|
(the "License"); you may not use this file except in compliance with |
||||||
|
the License. You may obtain a copy of the License at |
||||||
|
|
||||||
|
http://www.apache.org/licenses/LICENSE-2.0 |
||||||
|
|
||||||
|
Unless required by applicable law or agreed to in writing, software |
||||||
|
distributed under the License is distributed on an "AS IS" BASIS, |
||||||
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
||||||
|
See the License for the specific language governing permissions and |
||||||
|
limitations under the License. |
||||||
|
--> |
||||||
|
<refentry> |
||||||
|
<refentryinfo> |
||||||
|
<title>apachectl</title> |
||||||
|
<productname>httpd</productname> |
||||||
|
<author><contrib>Apache man page</contrib><othername>Apache Software Foundation contributors</othername></author> |
||||||
|
<author><contrib>Fedora man page</contrib><surname>Dana</surname><firstname>Frank</firstname></author> |
||||||
|
</refentryinfo> |
||||||
|
|
||||||
|
<refmeta> |
||||||
|
<refentrytitle>apachectl</refentrytitle> |
||||||
|
<manvolnum>8</manvolnum> |
||||||
|
</refmeta> |
||||||
|
|
||||||
|
<refnamediv> |
||||||
|
<refname>apachectl</refname> |
||||||
|
<refpurpose>Server control interface for httpd</refpurpose> |
||||||
|
</refnamediv> |
||||||
|
|
||||||
|
<refsynopsisdiv id='synopsis'> |
||||||
|
<cmdsynopsis> |
||||||
|
<command>apachectl</command> |
||||||
|
<arg choice='opt'><replaceable>command</replaceable> </arg> |
||||||
|
<sbr/> |
||||||
|
</cmdsynopsis> |
||||||
|
</refsynopsisdiv> |
||||||
|
|
||||||
|
<!-- body begins here --> |
||||||
|
<refsect1 id='description'> |
||||||
|
<title>Description</title> |
||||||
|
|
||||||
|
<para><command>apachectl</command> is a front end to the Apache HyperText |
||||||
|
Transfer Protocol (HTTP) server. It is designed to help the |
||||||
|
administrator control the functioning of the Apache |
||||||
|
<command>httpd</command> daemon.</para> |
||||||
|
|
||||||
|
<para>The <command>apachectl</command> script takes one-word arguments like |
||||||
|
<option>start</option>, |
||||||
|
<option>restart</option>, and |
||||||
|
<option>stop</option>, and translates them |
||||||
|
into appropriate signals to <command>httpd</command>.</para> |
||||||
|
|
||||||
|
<para>The <command>apachectl</command> script returns a 0 exit value on |
||||||
|
success, and >0 if an error occurs.</para> |
||||||
|
|
||||||
|
<refsect2 id="compatibility"> |
||||||
|
<title>Compatibility</title> |
||||||
|
|
||||||
|
<para>The version of <command>apachectl</command> used on this |
||||||
|
system is a replacement script intended to be mostly (but not |
||||||
|
completely) compatible with version provided with |
||||||
|
<emphasis>Apache httpd</emphasis>. This |
||||||
|
<command>apachectl</command> mostly acts as a wrapper around |
||||||
|
<command>systemctl</command> and manipulates the |
||||||
|
<command>systemd</command> service for <command>httpd</command>. |
||||||
|
The interface to the <emphasis>Apache</emphasis> version of |
||||||
|
<command>apachectl</command> is described at <ulink |
||||||
|
url="https://httpd.apache.org/docs/2.4/programs/apachectl.html"/>.</para> |
||||||
|
|
||||||
|
<para>The following differences are present in the version of |
||||||
|
<command>apachectl</command> present on this system: |
||||||
|
|
||||||
|
<itemizedlist> |
||||||
|
<listitem><para>Option arguments passed when starting |
||||||
|
<command>httpd</command> are not allowed. These should be |
||||||
|
configured in the systemd service directly (see <citerefentry><refentrytitle>httpd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>).</para></listitem> |
||||||
|
|
||||||
|
<listitem><para>The <command>"fullstatus"</command> option is |
||||||
|
not available.</para></listitem> |
||||||
|
|
||||||
|
<listitem><para>The <command>"status"</command> option does |
||||||
|
not use or rely on the running server's |
||||||
|
<emphasis>server-status</emphasis> output.</para></listitem> |
||||||
|
</itemizedlist> |
||||||
|
|
||||||
|
</para> |
||||||
|
</refsect2> |
||||||
|
</refsect1> |
||||||
|
|
||||||
|
<refsect1 id='options'> |
||||||
|
<title>Options</title> |
||||||
|
<variablelist remap='TP'> |
||||||
|
<varlistentry> |
||||||
|
<term><option>start</option></term> |
||||||
|
<listitem> |
||||||
|
<para>Start the Apache <command>httpd</command> daemon. Gives an error if it |
||||||
|
is already running. This is equivalent to <command>systemctl start httpd.service</command>.</para> |
||||||
|
</listitem> |
||||||
|
</varlistentry> |
||||||
|
|
||||||
|
<varlistentry> |
||||||
|
<term><option>stop</option></term> |
||||||
|
<listitem> |
||||||
|
<para>Stops the Apache <command>httpd</command> daemon. This is equivalent to |
||||||
|
<command>systemctl stop httpd.service</command>.</para> |
||||||
|
</listitem> |
||||||
|
</varlistentry> |
||||||
|
|
||||||
|
<varlistentry> |
||||||
|
<term><option>restart</option></term> |
||||||
|
<listitem> |
||||||
|
<para>Restarts the Apache <command>httpd</command> daemon. If the daemon is |
||||||
|
not running, it is started. This is equivalent |
||||||
|
to <command>systemctl restart httpd.service</command>.</para> |
||||||
|
</listitem> |
||||||
|
</varlistentry> |
||||||
|
|
||||||
|
<varlistentry> |
||||||
|
<term><option>status</option></term> |
||||||
|
<listitem> |
||||||
|
<para>Displays a brief status report. This is equivalent to <command>systemctl status httpd.service.</command></para> |
||||||
|
</listitem> |
||||||
|
</varlistentry> |
||||||
|
|
||||||
|
<varlistentry> |
||||||
|
<term><option>graceful</option></term> |
||||||
|
<listitem> |
||||||
|
<para>Gracefully restarts the Apache <command>httpd</command> daemon. If the |
||||||
|
daemon is not running, it is started. This differs from a normal |
||||||
|
restart in that currently open connections are not aborted. A side |
||||||
|
effect is that old log files will not be closed immediately. This |
||||||
|
means that if used in a log rotation script, a substantial delay may |
||||||
|
be necessary to ensure that the old log files are closed before |
||||||
|
processing them. This is equivalent to |
||||||
|
<command>systemctl kill --signal=SIGUSR1 --kill-who=main httpd.service</command>.</para> |
||||||
|
</listitem> |
||||||
|
</varlistentry> |
||||||
|
|
||||||
|
<varlistentry> |
||||||
|
<term><option>graceful-stop</option></term> |
||||||
|
<listitem> |
||||||
|
<para>Gracefully stops the Apache <command>httpd</command> daemon. |
||||||
|
This differs from a normal stop in that currently open connections are not |
||||||
|
aborted. A side effect is that old log files will not be closed immediately. |
||||||
|
This is equivalent to |
||||||
|
<command>systemctl kill --signal=SIGWINCH --kill-who=main httpd.service</command>.</para> |
||||||
|
</listitem> |
||||||
|
</varlistentry> |
||||||
|
|
||||||
|
<varlistentry> |
||||||
|
<term><option>configtest</option></term> |
||||||
|
<listitem> |
||||||
|
<para>Run a configuration file syntax test. It parses the configuration |
||||||
|
files and either reports <literal>Syntax OK</literal> |
||||||
|
or detailed information about the particular syntax error. This is |
||||||
|
equivalent to <command>httpd -t</command>.</para> |
||||||
|
</listitem> |
||||||
|
</varlistentry> |
||||||
|
</variablelist> |
||||||
|
</refsect1> |
||||||
|
|
||||||
|
<refsect1 id='bugs'> |
||||||
|
<title>Bugs</title> |
||||||
|
<para>Please report bugs by filing an issue in Bugzilla via <ulink url='https://bugzilla.redhat.com/'/>.</para> |
||||||
|
</refsect1> |
||||||
|
|
||||||
|
<refsect1> |
||||||
|
<title>See also</title> |
||||||
|
|
||||||
|
<para> |
||||||
|
<citerefentry><refentrytitle>httpd</refentrytitle><manvolnum>8</manvolnum></citerefentry>, |
||||||
|
<citerefentry><refentrytitle>httpd.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>, |
||||||
|
<citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>, |
||||||
|
<citerefentry><refentrytitle>systemctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>, |
||||||
|
<citerefentry><refentrytitle>httpd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry> |
||||||
|
</para> |
||||||
|
</refsect1> |
||||||
|
|
||||||
|
</refentry> |
@ -0,0 +1,24 @@ |
|||||||
|
# Layout used in Fedora httpd packaging. |
||||||
|
<Layout Fedora> |
||||||
|
prefix: /etc/httpd |
||||||
|
localstatedir: /var |
||||||
|
exec_prefix: /usr |
||||||
|
bindir: ${exec_prefix}/bin |
||||||
|
sbindir: ${exec_prefix}/sbin |
||||||
|
libdir: ${exec_prefix}/lib |
||||||
|
libexecdir: ${exec_prefix}/libexec |
||||||
|
mandir: ${exec_prefix}/man |
||||||
|
sysconfdir: /etc/httpd/conf |
||||||
|
datadir: ${exec_prefix}/share/httpd |
||||||
|
installbuilddir: ${libdir}/httpd/build |
||||||
|
errordir: ${datadir}/error |
||||||
|
iconsdir: ${datadir}/icons |
||||||
|
htdocsdir: ${localstatedir}/www/html |
||||||
|
manualdir: ${datadir}/manual |
||||||
|
cgidir: ${localstatedir}/www/cgi-bin |
||||||
|
includedir: ${exec_prefix}/include/httpd |
||||||
|
runtimedir: ${prefix}/run |
||||||
|
logfiledir: ${localstatedir}/log/httpd |
||||||
|
statedir: ${prefix}/state |
||||||
|
proxycachedir: ${localstatedir}/cache/httpd/proxy |
||||||
|
</Layout> |
@ -0,0 +1,11 @@ |
|||||||
|
[Unit] |
||||||
|
Description=Disk Cache Cleaning Daemon for the Apache HTTP Server |
||||||
|
After=httpd.service |
||||||
|
Documentation=man:htcacheclean.service(8) |
||||||
|
|
||||||
|
[Service] |
||||||
|
Type=forking |
||||||
|
User=apache |
||||||
|
PIDFile=/run/httpd/htcacheclean/pid |
||||||
|
EnvironmentFile=/etc/sysconfig/htcacheclean |
||||||
|
ExecStart=/usr/sbin/htcacheclean -P /run/httpd/htcacheclean/pid -d $INTERVAL -p $CACHE_ROOT -l $LIMIT $OPTIONS |
@ -0,0 +1,123 @@ |
|||||||
|
<?xml version='1.0' encoding='utf-8'?> |
||||||
|
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN" |
||||||
|
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [ |
||||||
|
|
||||||
|
]> |
||||||
|
<!-- |
||||||
|
Copyright 2018 Red Hat, Inc. |
||||||
|
|
||||||
|
Licensed to the Apache Software Foundation (ASF) under one or more |
||||||
|
contributor license agreements. See the NOTICE file distributed with |
||||||
|
this work for additional information regarding copyright ownership. |
||||||
|
The ASF licenses this file to You under the Apache License, Version 2.0 |
||||||
|
(the "License"); you may not use this file except in compliance with |
||||||
|
the License. You may obtain a copy of the License at |
||||||
|
|
||||||
|
http://www.apache.org/licenses/LICENSE-2.0 |
||||||
|
|
||||||
|
Unless required by applicable law or agreed to in writing, software |
||||||
|
distributed under the License is distributed on an "AS IS" BASIS, |
||||||
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
||||||
|
See the License for the specific language overning permissions and |
||||||
|
limitations under the License. |
||||||
|
--> |
||||||
|
<refentry> |
||||||
|
<refentryinfo> |
||||||
|
<title>htcacheclean systemd unit</title> |
||||||
|
<productname>httpd</productname> |
||||||
|
<author><contrib>Author</contrib><surname>Orton</surname><firstname>Joe</firstname><email>jorton@redhat.com</email></author> |
||||||
|
</refentryinfo> |
||||||
|
|
||||||
|
<refmeta> |
||||||
|
<refentrytitle>htcacheclean.service</refentrytitle> |
||||||
|
<manvolnum>8</manvolnum> |
||||||
|
</refmeta> |
||||||
|
|
||||||
|
<refnamediv> |
||||||
|
<refname>htcacheclean.service</refname> |
||||||
|
<refpurpose>htcacheclean unit file for systemd</refpurpose> |
||||||
|
</refnamediv> |
||||||
|
|
||||||
|
<refsynopsisdiv> |
||||||
|
<para> |
||||||
|
<filename>/usr/lib/systemd/system/htcacheclean.service</filename> |
||||||
|
</para> |
||||||
|
</refsynopsisdiv> |
||||||
|
|
||||||
|
<refsect1> |
||||||
|
<title>Description</title> |
||||||
|
|
||||||
|
<para>This manual page describes the <command>systemd</command> |
||||||
|
unit file for the <command>htcacheclean</command> daemon. This |
||||||
|
unit file provides a service which runs |
||||||
|
<command>htcacheclean</command> in daemon mode, |
||||||
|
periodically cleaning the disk cache root to ensure disk space |
||||||
|
usage is within configured limits.</para> |
||||||
|
|
||||||
|
</refsect1> |
||||||
|
|
||||||
|
<refsect1> |
||||||
|
<title>Options</title> |
||||||
|
|
||||||
|
<para>The service is configured by configuration file |
||||||
|
<filename>/etc/sysconfig/htcacheclean</filename>. The following |
||||||
|
variables are used, following standard <command>systemd</command> |
||||||
|
<varname>EnvironmentFile=</varname> syntax:</para> |
||||||
|
|
||||||
|
<variablelist> |
||||||
|
<varlistentry> |
||||||
|
<term><varname>INTERVAL=</varname></term> |
||||||
|
|
||||||
|
<listitem><para>Sets the interval between cache clean runs, in |
||||||
|
minutes. By default this is configured as |
||||||
|
<emphasis>15</emphasis>.</para></listitem> |
||||||
|
</varlistentry> |
||||||
|
|
||||||
|
<varlistentry> |
||||||
|
<term><varname>CACHE_ROOT=</varname></term> |
||||||
|
|
||||||
|
<listitem><para>Sets the directory name used for the cache |
||||||
|
root. By default this is configured as |
||||||
|
<filename>/var/cache/httpd/proxy</filename>.</para></listitem> |
||||||
|
</varlistentry> |
||||||
|
|
||||||
|
<varlistentry> |
||||||
|
<term><varname>LIMIT=</varname></term> |
||||||
|
|
||||||
|
<listitem><para>Sets the total disk cache space limit, in |
||||||
|
bytes. Use a <emphasis>K</emphasis> or <emphasis>M</emphasis> |
||||||
|
suffix to signify kilobytes or megabytes. By default this is |
||||||
|
set to <emphasis>100M</emphasis>.</para></listitem> |
||||||
|
</varlistentry> |
||||||
|
|
||||||
|
<varlistentry> |
||||||
|
<term><varname>OPTIONS=</varname></term> |
||||||
|
|
||||||
|
<listitem><para>Any other options to pass to |
||||||
|
<command>htcacheclean</command>.</para></listitem> |
||||||
|
</varlistentry> |
||||||
|
</variablelist> |
||||||
|
</refsect1> |
||||||
|
|
||||||
|
<refsect1> |
||||||
|
<title>Files</title> |
||||||
|
|
||||||
|
<para><filename>/usr/lib/systemd/system/htcacheclean.service</filename>, |
||||||
|
<filename>/etc/sysconfig/htcacheclean</filename></para> |
||||||
|
</refsect1> |
||||||
|
|
||||||
|
<refsect1> |
||||||
|
<title>See also</title> |
||||||
|
|
||||||
|
<para> |
||||||
|
<citerefentry><refentrytitle>htcacheclean</refentrytitle><manvolnum>8</manvolnum></citerefentry>, |
||||||
|
<citerefentry><refentrytitle>httpd</refentrytitle><manvolnum>8</manvolnum></citerefentry>, |
||||||
|
<citerefentry><refentrytitle>httpd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>, |
||||||
|
<citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>8</manvolnum></citerefentry> |
||||||
|
</para> |
||||||
|
</refsect1> |
||||||
|
|
||||||
|
</refentry> |
||||||
|
|
||||||
|
<!-- LocalWords: systemd httpd htcacheclean |
||||||
|
--> |
@ -0,0 +1,16 @@ |
|||||||
|
# |
||||||
|
# Configuration options for systemd service, htcacheclean.service. |
||||||
|
# See htcacheclean(8) for more information on available options. |
||||||
|
# |
||||||
|
|
||||||
|
# Interval between cache clean runs, in minutes |
||||||
|
INTERVAL=15 |
||||||
|
|
||||||
|
# Default cache root. |
||||||
|
CACHE_ROOT=/var/cache/httpd/proxy |
||||||
|
|
||||||
|
# Cache size limit in bytes (K=Kbytes, M=Mbytes) |
||||||
|
LIMIT=100M |
||||||
|
|
||||||
|
# Any other options... |
||||||
|
OPTIONS= |
@ -0,0 +1,58 @@ |
|||||||
|
diff --git a/support/apxs.in b/support/apxs.in |
||||||
|
index b2705fa..c331631 100644 |
||||||
|
--- a/support/apxs.in |
||||||
|
+++ b/support/apxs.in |
||||||
|
@@ -35,7 +35,18 @@ if ($ddi >= 0) { |
||||||
|
|
||||||
|
my %config_vars = (); |
||||||
|
|
||||||
|
-my $installbuilddir = "@exp_installbuilddir@"; |
||||||
|
+# Awful hack to make apxs libdir-agnostic: |
||||||
|
+my $pkg_config = "/usr/bin/pkg-config"; |
||||||
|
+if (! -x "$pkg_config") { |
||||||
|
+ error("$pkg_config not found!"); |
||||||
|
+ exit(1); |
||||||
|
+} |
||||||
|
+ |
||||||
|
+my $libdir = `pkg-config --variable=libdir apr-1`; |
||||||
|
+chomp $libdir; |
||||||
|
+ |
||||||
|
+my $installbuilddir = $libdir . "/httpd/build"; |
||||||
|
+ |
||||||
|
get_config_vars($destdir . "$installbuilddir/config_vars.mk",\%config_vars); |
||||||
|
|
||||||
|
# read the configuration variables once |
||||||
|
@@ -285,7 +296,7 @@ if ($opt_g) { |
||||||
|
$data =~ s|%NAME%|$name|sg; |
||||||
|
$data =~ s|%TARGET%|$CFG_TARGET|sg; |
||||||
|
$data =~ s|%PREFIX%|$prefix|sg; |
||||||
|
- $data =~ s|%INSTALLBUILDDIR%|$installbuilddir|sg; |
||||||
|
+ $data =~ s|%LIBDIR%|$libdir|sg; |
||||||
|
|
||||||
|
my ($mkf, $mods, $src) = ($data =~ m|^(.+)-=#=-\n(.+)-=#=-\n(.+)|s); |
||||||
|
|
||||||
|
@@ -463,11 +474,11 @@ if ($opt_c) { |
||||||
|
my $ldflags = "$CFG_LDFLAGS"; |
||||||
|
if ($opt_p == 1) { |
||||||
|
|
||||||
|
- my $apr_libs=`$apr_config --cflags --ldflags --link-libtool --libs`; |
||||||
|
+ my $apr_libs=`$apr_config --cflags --ldflags --link-libtool`; |
||||||
|
chomp($apr_libs); |
||||||
|
my $apu_libs=""; |
||||||
|
if ($apr_major_version < 2) { |
||||||
|
- $apu_libs=`$apu_config --ldflags --link-libtool --libs`; |
||||||
|
+ $apu_libs=`$apu_config --ldflags --link-libtool`; |
||||||
|
chomp($apu_libs); |
||||||
|
} |
||||||
|
|
||||||
|
@@ -682,8 +693,8 @@ __DATA__ |
||||||
|
|
||||||
|
builddir=. |
||||||
|
top_srcdir=%PREFIX% |
||||||
|
-top_builddir=%PREFIX% |
||||||
|
-include %INSTALLBUILDDIR%/special.mk |
||||||
|
+top_builddir=%LIBDIR%/httpd |
||||||
|
+include %LIBDIR%/httpd/build/special.mk |
||||||
|
|
||||||
|
# the used tools |
||||||
|
APACHECTL=apachectl |
@ -0,0 +1,82 @@ |
|||||||
|
diff --git a/modules/cache/cache_util.h b/modules/cache/cache_util.h |
||||||
|
index 6b92151..4c42a8e 100644 |
||||||
|
--- a/modules/cache/cache_util.h |
||||||
|
+++ b/modules/cache/cache_util.h |
||||||
|
@@ -195,6 +195,9 @@ typedef struct { |
||||||
|
unsigned int store_nostore_set:1; |
||||||
|
unsigned int enable_set:1; |
||||||
|
unsigned int disable_set:1; |
||||||
|
+ /* treat maxex as hard limit */ |
||||||
|
+ unsigned int hardmaxex:1; |
||||||
|
+ unsigned int hardmaxex_set:1; |
||||||
|
} cache_dir_conf; |
||||||
|
|
||||||
|
/* A linked-list of authn providers. */ |
||||||
|
diff --git a/modules/cache/mod_cache.c b/modules/cache/mod_cache.c |
||||||
|
index 3b9aa4f..8268503 100644 |
||||||
|
--- a/modules/cache/mod_cache.c |
||||||
|
+++ b/modules/cache/mod_cache.c |
||||||
|
@@ -1455,6 +1455,11 @@ static apr_status_t cache_save_filter(ap_filter_t *f, apr_bucket_brigade *in) |
||||||
|
exp = date + dconf->defex; |
||||||
|
} |
||||||
|
} |
||||||
|
+ /* else, forcibly cap the expiry date if required */ |
||||||
|
+ else if (dconf->hardmaxex && (date + dconf->maxex) < exp) { |
||||||
|
+ exp = date + dconf->maxex; |
||||||
|
+ } |
||||||
|
+ |
||||||
|
info->expire = exp; |
||||||
|
|
||||||
|
/* We found a stale entry which wasn't really stale. */ |
||||||
|
@@ -1954,7 +1959,9 @@ static void *create_dir_config(apr_pool_t *p, char *dummy) |
||||||
|
|
||||||
|
/* array of providers for this URL space */ |
||||||
|
dconf->cacheenable = apr_array_make(p, 10, sizeof(struct cache_enable)); |
||||||
|
- |
||||||
|
+ /* flag; treat maxex as hard limit */ |
||||||
|
+ dconf->hardmaxex = 0; |
||||||
|
+ dconf->hardmaxex_set = 0; |
||||||
|
return dconf; |
||||||
|
} |
||||||
|
|
||||||
|
@@ -2004,7 +2011,10 @@ static void *merge_dir_config(apr_pool_t *p, void *basev, void *addv) { |
||||||
|
new->enable_set = add->enable_set || base->enable_set; |
||||||
|
new->disable = (add->disable_set == 0) ? base->disable : add->disable; |
||||||
|
new->disable_set = add->disable_set || base->disable_set; |
||||||
|
- |
||||||
|
+ new->hardmaxex = |
||||||
|
+ (add->hardmaxex_set == 0) |
||||||
|
+ ? base->hardmaxex |
||||||
|
+ : add->hardmaxex; |
||||||
|
return new; |
||||||
|
} |
||||||
|
|
||||||
|
@@ -2332,12 +2342,18 @@ static const char *add_cache_disable(cmd_parms *parms, void *dummy, |
||||||
|
} |
||||||
|
|
||||||
|
static const char *set_cache_maxex(cmd_parms *parms, void *dummy, |
||||||
|
- const char *arg) |
||||||
|
+ const char *arg, const char *hard) |
||||||
|
{ |
||||||
|
cache_dir_conf *dconf = (cache_dir_conf *)dummy; |
||||||
|
|
||||||
|
dconf->maxex = (apr_time_t) (atol(arg) * MSEC_ONE_SEC); |
||||||
|
dconf->maxex_set = 1; |
||||||
|
+ |
||||||
|
+ if (hard && strcasecmp(hard, "hard") == 0) { |
||||||
|
+ dconf->hardmaxex = 1; |
||||||
|
+ dconf->hardmaxex_set = 1; |
||||||
|
+ } |
||||||
|
+ |
||||||
|
return NULL; |
||||||
|
} |
||||||
|
|
||||||
|
@@ -2545,7 +2561,7 @@ static const command_rec cache_cmds[] = |
||||||
|
"caching is enabled"), |
||||||
|
AP_INIT_TAKE1("CacheDisable", add_cache_disable, NULL, RSRC_CONF|ACCESS_CONF, |
||||||
|
"A partial URL prefix below which caching is disabled"), |
||||||
|
- AP_INIT_TAKE1("CacheMaxExpire", set_cache_maxex, NULL, RSRC_CONF|ACCESS_CONF, |
||||||
|
+ AP_INIT_TAKE12("CacheMaxExpire", set_cache_maxex, NULL, RSRC_CONF|ACCESS_CONF, |
||||||
|
"The maximum time in seconds to cache a document"), |
||||||
|
AP_INIT_TAKE1("CacheMinExpire", set_cache_minex, NULL, RSRC_CONF|ACCESS_CONF, |
||||||
|
"The minimum time in seconds to cache a document"), |
@ -0,0 +1,30 @@ |
|||||||
|
diff --git a/server/core.c b/server/core.c |
||||||
|
index 79b2a82..dc0f17a 100644 |
||||||
|
--- a/server/core.c |
||||||
|
+++ b/server/core.c |
||||||
|
@@ -4996,6 +4996,25 @@ static int core_post_config(apr_pool_t *pconf, apr_pool_t *plog, apr_pool_t *pte |
||||||
|
} |
||||||
|
apr_pool_cleanup_register(pconf, NULL, ap_mpm_end_gen_helper, |
||||||
|
apr_pool_cleanup_null); |
||||||
|
+ |
||||||
|
+#ifdef RLIMIT_CORE |
||||||
|
+ if (ap_coredumpdir_configured) { |
||||||
|
+ struct rlimit lim; |
||||||
|
+ |
||||||
|
+ if (getrlimit(RLIMIT_CORE, &lim) == 0 && lim.rlim_cur == 0) { |
||||||
|
+ lim.rlim_cur = lim.rlim_max; |
||||||
|
+ if (setrlimit(RLIMIT_CORE, &lim) == 0) { |
||||||
|
+ ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, NULL, |
||||||
|
+ "core dump file size limit raised to %lu bytes", |
||||||
|
+ lim.rlim_cur); |
||||||
|
+ } else { |
||||||
|
+ ap_log_error(APLOG_MARK, APLOG_NOTICE, errno, NULL, |
||||||
|
+ "core dump file size is zero, setrlimit failed"); |
||||||
|
+ } |
||||||
|
+ } |
||||||
|
+ } |
||||||
|
+#endif |
||||||
|
+ |
||||||
|
return OK; |
||||||
|
} |
||||||
|
|
@ -0,0 +1,16 @@ |
|||||||
|
diff --git a/configure.in b/configure.in |
||||||
|
index f8f9442..f276550 100644 |
||||||
|
--- a/configure.in |
||||||
|
+++ b/configure.in |
||||||
|
@@ -786,9 +786,9 @@ APACHE_SUBST(INSTALL_SUEXEC) |
||||||
|
|
||||||
|
dnl APR should go after the other libs, so the right symbols can be picked up |
||||||
|
if test x${apu_found} != xobsolete; then |
||||||
|
- AP_LIBS="$AP_LIBS `$apu_config --avoid-ldap --link-libtool --libs`" |
||||||
|
+ AP_LIBS="$AP_LIBS `$apu_config --avoid-ldap --link-libtool`" |
||||||
|
fi |
||||||
|
-AP_LIBS="$AP_LIBS `$apr_config --link-libtool --libs`" |
||||||
|
+AP_LIBS="$AP_LIBS `$apr_config --link-libtool`" |
||||||
|
APACHE_SUBST(AP_LIBS) |
||||||
|
APACHE_SUBST(AP_BUILD_SRCLIB_DIRS) |
||||||
|
APACHE_SUBST(AP_CLEAN_SRCLIB_DIRS) |
@ -0,0 +1,62 @@ |
|||||||
|
diff --git a/modules/ssl/ssl_engine_config.c b/modules/ssl/ssl_engine_config.c |
||||||
|
index 979489c..3d6443b 100644 |
||||||
|
--- a/modules/ssl/ssl_engine_config.c |
||||||
|
+++ b/modules/ssl/ssl_engine_config.c |
||||||
|
@@ -1485,6 +1485,10 @@ static const char *ssl_cmd_protocol_parse(cmd_parms *parms, |
||||||
|
#endif |
||||||
|
else if (strcEQ(w, "all")) { |
||||||
|
thisopt = SSL_PROTOCOL_ALL; |
||||||
|
+#ifndef OPENSSL_NO_SSL3 |
||||||
|
+ /* by default, ALL kw doesn't turn on SSLv3 */ |
||||||
|
+ thisopt &= ~SSL_PROTOCOL_SSLV3; |
||||||
|
+#endif |
||||||
|
} |
||||||
|
else { |
||||||
|
return apr_pstrcat(parms->temp_pool, |
||||||
|
diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c |
||||||
|
index b0fcf81..ab6f263 100644 |
||||||
|
--- a/modules/ssl/ssl_engine_init.c |
||||||
|
+++ b/modules/ssl/ssl_engine_init.c |
||||||
|
@@ -568,6 +568,28 @@ static apr_status_t ssl_init_ctx_tls_extensions(server_rec *s, |
||||||
|
} |
||||||
|
#endif |
||||||
|
|
||||||
|
+/* |
||||||
|
+ * Enable/disable SSLProtocol. If the mod_ssl enables protocol |
||||||
|
+ * which is disabled by default by OpenSSL, show a warning. |
||||||
|
+ * "option" is for example SSL_OP_NO_SSLv3. |
||||||
|
+ */ |
||||||
|
+static void ssl_set_ctx_protocol_option(server_rec *s, |
||||||
|
+ SSL_CTX *ctx, |
||||||
|
+ long option, |
||||||
|
+ int enabled, |
||||||
|
+ const char *name) |
||||||
|
+{ |
||||||
|
+ if (!enabled) { |
||||||
|
+ SSL_CTX_set_options(ctx, option); |
||||||
|
+ } |
||||||
|
+ else if (SSL_CTX_get_options(ctx) & option) { |
||||||
|
+ SSL_CTX_clear_options(ctx, option); |
||||||
|
+ ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s, APLOGNO(02904) |
||||||
|
+ "Allowing SSLProtocol %s even though it is disabled " |
||||||
|
+ "by OpenSSL by default on this system", name); |
||||||
|
+ } |
||||||
|
+} |
||||||
|
+ |
||||||
|
static apr_status_t ssl_init_ctx_protocol(server_rec *s, |
||||||
|
apr_pool_t *p, |
||||||
|
apr_pool_t *ptemp, |
||||||
|
@@ -735,9 +757,13 @@ static apr_status_t ssl_init_ctx_protocol(server_rec *s, |
||||||
|
} |
||||||
|
if (prot == TLS1_1_VERSION && protocol & SSL_PROTOCOL_TLSV1) { |
||||||
|
prot = TLS1_VERSION; |
||||||
|
+ ssl_set_ctx_protocol_option(s, ctx, SSL_OP_NO_TLSv1, |
||||||
|
+ protocol & SSL_PROTOCOL_TLSV1, "TLSv1"); |
||||||
|
} |
||||||
|
#ifndef OPENSSL_NO_SSL3 |
||||||
|
if (prot == TLS1_VERSION && protocol & SSL_PROTOCOL_SSLV3) { |
||||||
|
+ ssl_set_ctx_protocol_option(s, ctx, SSL_OP_NO_SSLv3, |
||||||
|
+ protocol & SSL_PROTOCOL_SSLV3, "SSLv3"); |
||||||
|
prot = SSL3_VERSION; |
||||||
|
} |
||||||
|
#endif |
@ -0,0 +1,87 @@ |
|||||||
|
diff --git a/modules/loggers/config.m4 b/modules/loggers/config.m4 |
||||||
|
index 762e773..0848d2e 100644 |
||||||
|
--- a/modules/loggers/config.m4 |
||||||
|
+++ b/modules/loggers/config.m4 |
||||||
|
@@ -5,6 +5,8 @@ dnl APACHE_MODULE(name, helptext[, objects[, structname[, default[, config]]]]) |
||||||
|
APACHE_MODPATH_INIT(loggers) |
||||||
|
|
||||||
|
APACHE_MODULE(log_config, logging configuration. You won't be able to log requests to the server without this module., , , yes) |
||||||
|
+APR_ADDTO(MOD_LOG_CONFIG_LDADD, [$SYSTEMD_LIBS]) |
||||||
|
+ |
||||||
|
APACHE_MODULE(log_debug, configurable debug logging, , , most) |
||||||
|
APACHE_MODULE(log_forensic, forensic logging) |
||||||
|
|
||||||
|
diff --git a/modules/loggers/mod_log_config.c b/modules/loggers/mod_log_config.c |
||||||
|
index 996c09c..50a056a 100644 |
||||||
|
--- a/modules/loggers/mod_log_config.c |
||||||
|
+++ b/modules/loggers/mod_log_config.c |
||||||
|
@@ -172,6 +172,10 @@ |
||||||
|
#include <limits.h> |
||||||
|
#endif |
||||||
|
|
||||||
|
+#ifdef HAVE_SYSTEMD |
||||||
|
+#include <systemd/sd-journal.h> |
||||||
|
+#endif |
||||||
|
+ |
||||||
|
#define DEFAULT_LOG_FORMAT "%h %l %u %t \"%r\" %>s %b" |
||||||
|
|
||||||
|
module AP_MODULE_DECLARE_DATA log_config_module; |
||||||
|
@@ -1638,6 +1642,25 @@ static apr_status_t ap_default_log_writer( request_rec *r, |
||||||
|
|
||||||
|
return rv; |
||||||
|
} |
||||||
|
+ |
||||||
|
+static apr_status_t wrap_journal_stream(apr_pool_t *p, apr_file_t **outfd, |
||||||
|
+ int priority) |
||||||
|
+{ |
||||||
|
+#ifdef HAVE_SYSTEMD |
||||||
|
+ int fd; |
||||||
|
+ |
||||||
|
+ fd = sd_journal_stream_fd("httpd", priority, 0); |
||||||
|
+ if (fd < 0) return fd; |
||||||
|
+ |
||||||
|
+ /* This is an AF_UNIX socket fd so is more pipe-like than |
||||||
|
+ * file-like (the fd is neither seekable or readable), and use of |
||||||
|
+ * apr_os_pipe_put_ex() allows cleanup registration. */ |
||||||
|
+ return apr_os_pipe_put_ex(outfd, &fd, 1, p); |
||||||
|
+#else |
||||||
|
+ return APR_ENOTIMPL; |
||||||
|
+#endif |
||||||
|
+} |
||||||
|
+ |
||||||
|
static void *ap_default_log_writer_init(apr_pool_t *p, server_rec *s, |
||||||
|
const char* name) |
||||||
|
{ |
||||||
|
@@ -1650,6 +1673,32 @@ static void *ap_default_log_writer_init(apr_pool_t *p, server_rec *s, |
||||||
|
} |
||||||
|
return ap_piped_log_write_fd(pl); |
||||||
|
} |
||||||
|
+ else if (strncasecmp(name, "journald:", 9) == 0) { |
||||||
|
+ int priority; |
||||||
|
+ const char *err = ap_parse_log_level(name + 9, &priority); |
||||||
|
+ apr_status_t rv; |
||||||
|
+ apr_file_t *fd; |
||||||
|
+ |
||||||
|
+ if (err == NULL && priority > LOG_DEBUG) { |
||||||
|
+ err = "TRACE level debugging not supported with journald"; |
||||||
|
+ } |
||||||
|
+ |
||||||
|
+ if (err) { |
||||||
|
+ ap_log_error(APLOG_MARK, APLOG_ERR, APR_EBADPATH, s, |
||||||
|
+ "invalid journald log priority name %s: %s", |
||||||
|
+ name, err); |
||||||
|
+ return NULL; |
||||||
|
+ } |
||||||
|
+ |
||||||
|
+ rv = wrap_journal_stream(p, &fd, priority); |
||||||
|
+ if (rv) { |
||||||
|
+ ap_log_error(APLOG_MARK, APLOG_ERR, rv, s, |
||||||
|
+ "could not open journald log stream"); |
||||||
|
+ return NULL; |
||||||
|
+ } |
||||||
|
+ |
||||||
|
+ return fd; |
||||||
|
+ } |
||||||
|
else { |
||||||
|
const char *fname = ap_server_root_relative(p, name); |
||||||
|
apr_file_t *fd; |
@ -0,0 +1,96 @@ |
|||||||
|
|
||||||
|
More verbose startup logging for mod_systemd. |
||||||
|
|
||||||
|
--- httpd-2.4.43/modules/arch/unix/mod_systemd.c.mod_systemd |
||||||
|
+++ httpd-2.4.43/modules/arch/unix/mod_systemd.c |
||||||
|
@@ -29,11 +29,14 @@ |
||||||
|
#include "mpm_common.h" |
||||||
|
|
||||||
|
#include "systemd/sd-daemon.h" |
||||||
|
+#include "systemd/sd-journal.h" |
||||||
|
|
||||||
|
#if APR_HAVE_UNISTD_H |
||||||
|
#include <unistd.h> |
||||||
|
#endif |
||||||
|
|
||||||
|
+static char describe_listeners[30]; |
||||||
|
+ |
||||||
|
static int systemd_pre_config(apr_pool_t *pconf, apr_pool_t *plog, |
||||||
|
apr_pool_t *ptemp) |
||||||
|
{ |
||||||
|
@@ -44,6 +47,20 @@ |
||||||
|
return OK; |
||||||
|
} |
||||||
|
|
||||||
|
+static char *dump_listener(ap_listen_rec *lr, apr_pool_t *p) |
||||||
|
+{ |
||||||
|
+ apr_sockaddr_t *sa = lr->bind_addr; |
||||||
|
+ char addr[128]; |
||||||
|
+ |
||||||
|
+ if (apr_sockaddr_is_wildcard(sa)) { |
||||||
|
+ return apr_pstrcat(p, "port ", apr_itoa(p, sa->port), NULL); |
||||||
|
+ } |
||||||
|
+ |
||||||
|
+ apr_sockaddr_ip_getbuf(addr, sizeof addr, sa); |
||||||
|
+ |
||||||
|
+ return apr_psprintf(p, "%s port %u", addr, sa->port); |
||||||
|
+} |
||||||
|
+ |
||||||
|
/* Report the service is ready in post_config, which could be during |
||||||
|
* startup or after a reload. The server could still hit a fatal |
||||||
|
* startup error after this point during ap_run_mpm(), so this is |
||||||
|
@@ -51,19 +68,51 @@ |
||||||
|
* the TCP ports so new connections will not be rejected. There will |
||||||
|
* always be a possible async failure event simultaneous to the |
||||||
|
* service reporting "ready", so this should be good enough. */ |
||||||
|
-static int systemd_post_config(apr_pool_t *p, apr_pool_t *plog, |
||||||
|
+static int systemd_post_config(apr_pool_t *pconf, apr_pool_t *plog, |
||||||
|
apr_pool_t *ptemp, server_rec *main_server) |
||||||
|
{ |
||||||
|
+ ap_listen_rec *lr; |
||||||
|
+ apr_size_t plen = sizeof describe_listeners; |
||||||
|
+ char *p = describe_listeners; |
||||||
|
+ |
||||||
|
+ if (ap_state_query(AP_SQ_MAIN_STATE) == AP_SQ_MS_CREATE_PRE_CONFIG) |
||||||
|
+ return OK; |
||||||
|
+ |
||||||
|
+ for (lr = ap_listeners; lr; lr = lr->next) { |
||||||
|
+ char *s = dump_listener(lr, ptemp); |
||||||
|
+ |
||||||
|
+ if (strlen(s) + 3 < plen) { |
||||||
|
+ char *newp = apr_cpystrn(p, s, plen); |
||||||
|
+ if (lr->next) |
||||||
|
+ newp = apr_cpystrn(newp, ", ", 3); |
||||||
|
+ plen -= newp - p; |
||||||
|
+ p = newp; |
||||||
|
+ } |
||||||
|
+ else { |
||||||
|
+ if (plen < 4) { |
||||||
|
+ p = describe_listeners + sizeof describe_listeners - 4; |
||||||
|
+ plen = 4; |
||||||
|
+ } |
||||||
|
+ apr_cpystrn(p, "...", plen); |
||||||
|
+ break; |
||||||
|
+ } |
||||||
|
+ } |
||||||
|
+ |
||||||
|
sd_notify(0, "READY=1\n" |
||||||
|
"STATUS=Configuration loaded.\n"); |
||||||
|
+ |
||||||
|
+ sd_journal_print(LOG_INFO, "Server configured, listening on: %s", |
||||||
|
+ describe_listeners); |
||||||
|
+ |
||||||
|
return OK; |
||||||
|
} |
||||||
|
|
||||||
|
static int systemd_pre_mpm(apr_pool_t *p, ap_scoreboard_e sb_type) |
||||||
|
{ |
||||||
|
sd_notifyf(0, "READY=1\n" |
||||||
|
- "STATUS=Processing requests...\n" |
||||||
|
- "MAINPID=%" APR_PID_T_FMT, getpid()); |
||||||
|
+ "STATUS=Started, listening on: %s\n" |
||||||
|
+ "MAINPID=%" APR_PID_T_FMT, |
||||||
|
+ describe_listeners, getpid()); |
||||||
|
|
||||||
|
return OK; |
||||||
|
} |
@ -0,0 +1,271 @@ |
|||||||
|
diff --git a/configure.in b/configure.in |
||||||
|
index cb43246..0bb6b0d 100644 |
||||||
|
--- httpd-2.4.43/configure.in.r1861793+ |
||||||
|
+++ httpd-2.4.43/configure.in |
||||||
|
@@ -465,6 +465,28 @@ |
||||||
|
AC_SEARCH_LIBS(crypt, crypt) |
||||||
|
CRYPT_LIBS="$LIBS" |
||||||
|
APACHE_SUBST(CRYPT_LIBS) |
||||||
|
+ |
||||||
|
+if test "$ac_cv_search_crypt" != "no"; then |
||||||
|
+ # Test crypt() with the SHA-512 test vector from https://akkadia.org/drepper/SHA-crypt.txt |
||||||
|
+ AC_CACHE_CHECK([whether crypt() supports SHA-2], [ap_cv_crypt_sha2], [ |
||||||
|
+ AC_RUN_IFELSE([AC_LANG_PROGRAM([[ |
||||||
|
+#include <crypt.h> |
||||||
|
+#include <stdlib.h> |
||||||
|
+#include <string.h> |
||||||
|
+ |
||||||
|
+#define PASSWD_0 "Hello world!" |
||||||
|
+#define SALT_0 "\$6\$saltstring" |
||||||
|
+#define EXPECT_0 "\$6\$saltstring\$svn8UoSVapNtMuq1ukKS4tPQd8iKwSMHWjl/O817G3uBnIFNjnQJu" \ |
||||||
|
+ "esI68u4OTLiBFdcbYEdFCoEOfaS35inz1" |
||||||
|
+]], [char *result = crypt(PASSWD_0, SALT_0); |
||||||
|
+ if (!result) return 1; |
||||||
|
+ if (strcmp(result, EXPECT_0)) return 2; |
||||||
|
+])], [ap_cv_crypt_sha2=yes], [ap_cv_crypt_sha2=no])]) |
||||||
|
+ if test "$ap_cv_crypt_sha2" = yes; then |
||||||
|
+ AC_DEFINE([HAVE_CRYPT_SHA2], 1, [Define if crypt() supports SHA-2 hashes]) |
||||||
|
+ fi |
||||||
|
+fi |
||||||
|
+ |
||||||
|
LIBS="$saved_LIBS" |
||||||
|
|
||||||
|
dnl See Comment #Spoon |
||||||
|
--- httpd-2.4.43/docs/man/htpasswd.1.r1861793+ |
||||||
|
+++ httpd-2.4.43/docs/man/htpasswd.1 |
||||||
|
@@ -27,16 +27,16 @@ |
||||||
|
.SH "SYNOPSIS" |
||||||
|
|
||||||
|
.PP |
||||||
|
-\fB\fBhtpasswd\fR [ -\fBc\fR ] [ -\fBi\fR ] [ -\fBm\fR | -\fBB\fR | -\fBd\fR | -\fBs\fR | -\fBp\fR ] [ -\fBC\fR \fIcost\fR ] [ -\fBD\fR ] [ -\fBv\fR ] \fIpasswdfile\fR \fIusername\fR\fR |
||||||
|
+\fB\fBhtpasswd\fR [ -\fBc\fR ] [ -\fBi\fR ] [ -\fBm\fR | -\fBB\fR | -\fB2\fR | -\fB5\fR | -\fBd\fR | -\fBs\fR | -\fBp\fR ] [ -\fBr\fR \fIrounds\fR ] [ -\fBC\fR \fIcost\fR ] [ -\fBD\fR ] [ -\fBv\fR ] \fIpasswdfile\fR \fIusername\fR\fR |
||||||
|
|
||||||
|
.PP |
||||||
|
-\fB\fBhtpasswd\fR -\fBb\fR [ -\fBc\fR ] [ -\fBm\fR | -\fBB\fR | -\fBd\fR | -\fBs\fR | -\fBp\fR ] [ -\fBC\fR \fIcost\fR ] [ -\fBD\fR ] [ -\fBv\fR ] \fIpasswdfile\fR \fIusername\fR \fIpassword\fR\fR |
||||||
|
+\fB\fBhtpasswd\fR -\fBb\fR [ -\fBc\fR ] [ -\fBm\fR | -\fBB\fR | -\fB2\fR | -\fB5\fR | -\fBd\fR | -\fBs\fR | -\fBp\fR ] [ -\fBr\fR \fIrounds\fR ] [ -\fBC\fR \fIcost\fR ] [ -\fBD\fR ] [ -\fBv\fR ] \fIpasswdfile\fR \fIusername\fR \fIpassword\fR\fR |
||||||
|
|
||||||
|
.PP |
||||||
|
-\fB\fBhtpasswd\fR -\fBn\fR [ -\fBi\fR ] [ -\fBm\fR | -\fBB\fR | -\fBd\fR | -\fBs\fR | -\fBp\fR ] [ -\fBC\fR \fIcost\fR ] \fIusername\fR\fR |
||||||
|
+\fB\fBhtpasswd\fR -\fBn\fR [ -\fBi\fR ] [ -\fBm\fR | -\fBB\fR | -\fB2\fR | -\fB5\fR | -\fBd\fR | -\fBs\fR | -\fBp\fR ] [ -\fBr\fR \fIrounds\fR ] [ -\fBC\fR \fIcost\fR ] \fIusername\fR\fR |
||||||
|
|
||||||
|
.PP |
||||||
|
-\fB\fBhtpasswd\fR -\fBnb\fR [ -\fBm\fR | -\fBB\fR | -\fBd\fR | -\fBs\fR | -\fBp\fR ] [ -\fBC\fR \fIcost\fR ] \fIusername\fR \fIpassword\fR\fR |
||||||
|
+\fB\fBhtpasswd\fR -\fBnb\fR [ -\fBm\fR | -\fBB\fR | -\fB2\fR | -\fB5\fR | -\fBd\fR | -\fBs\fR | -\fBp\fR ] [ -\fBr\fR \fIrounds\fR ] [ -\fBC\fR \fIcost\fR ] \fIusername\fR \fIpassword\fR\fR |
||||||
|
|
||||||
|
|
||||||
|
.SH "SUMMARY" |
||||||
|
@@ -48,7 +48,7 @@ |
||||||
|
Resources available from the Apache HTTP server can be restricted to just the users listed in the files created by \fBhtpasswd\fR\&. This program can only manage usernames and passwords stored in a flat-file\&. It can encrypt and display password information for use in other types of data stores, though\&. To use a DBM database see dbmmanage or htdbm\&. |
||||||
|
|
||||||
|
.PP |
||||||
|
-\fBhtpasswd\fR encrypts passwords using either bcrypt, a version of MD5 modified for Apache, SHA1, or the system's \fBcrypt()\fR routine\&. Files managed by \fBhtpasswd\fR may contain a mixture of different encoding types of passwords; some user records may have bcrypt or MD5-encrypted passwords while others in the same file may have passwords encrypted with \fBcrypt()\fR\&. |
||||||
|
+\fBhtpasswd\fR encrypts passwords using either bcrypt, a version of MD5 modified for Apache, SHA-1, or the system's \fBcrypt()\fR routine\&. SHA-2-based hashes (SHA-256 and SHA-512) are supported for \fBcrypt()\fR\&. Files managed by \fBhtpasswd\fR may contain a mixture of different encoding types of passwords; some user records may have bcrypt or MD5-encrypted passwords while others in the same file may have passwords encrypted with \fBcrypt()\fR\&. |
||||||
|
|
||||||
|
.PP |
||||||
|
This manual page only lists the command line arguments\&. For details of the directives necessary to configure user authentication in httpd see the Apache manual, which is part of the Apache distribution or can be found at http://httpd\&.apache\&.org/\&. |
||||||
|
@@ -73,17 +73,26 @@ |
||||||
|
\fB-m\fR |
||||||
|
Use MD5 encryption for passwords\&. This is the default (since version 2\&.2\&.18)\&. |
||||||
|
.TP |
||||||
|
+\fB-2\fR |
||||||
|
+Use SHA-256 \fBcrypt()\fR based hashes for passwords\&. This is supported on most Unix platforms\&. |
||||||
|
+.TP |
||||||
|
+\fB-5\fR |
||||||
|
+Use SHA-512 \fBcrypt()\fR based hashes for passwords\&. This is supported on most Unix platforms\&. |
||||||
|
+.TP |
||||||
|
\fB-B\fR |
||||||
|
Use bcrypt encryption for passwords\&. This is currently considered to be very secure\&. |
||||||
|
.TP |
||||||
|
\fB-C\fR |
||||||
|
This flag is only allowed in combination with \fB-B\fR (bcrypt encryption)\&. It sets the computing time used for the bcrypt algorithm (higher is more secure but slower, default: 5, valid: 4 to 17)\&. |
||||||
|
.TP |
||||||
|
+\fB-r\fR |
||||||
|
+This flag is only allowed in combination with \fB-2\fR or \fB-5\fR\&. It sets the number of hash rounds used for the SHA-2 algorithms (higher is more secure but slower; the default is 5,000)\&. |
||||||
|
+.TP |
||||||
|
\fB-d\fR |
||||||
|
Use \fBcrypt()\fR encryption for passwords\&. This is not supported by the httpd server on Windows and Netware\&. This algorithm limits the password length to 8 characters\&. This algorithm is \fBinsecure\fR by today's standards\&. It used to be the default algorithm until version 2\&.2\&.17\&. |
||||||
|
.TP |
||||||
|
\fB-s\fR |
||||||
|
-Use SHA encryption for passwords\&. Facilitates migration from/to Netscape servers using the LDAP Directory Interchange Format (ldif)\&. This algorithm is \fBinsecure\fR by today's standards\&. |
||||||
|
+Use SHA-1 (160-bit) encryption for passwords\&. Facilitates migration from/to Netscape servers using the LDAP Directory Interchange Format (ldif)\&. This algorithm is \fBinsecure\fR by today's standards\&. |
||||||
|
.TP |
||||||
|
\fB-p\fR |
||||||
|
Use plaintext passwords\&. Though \fBhtpasswd\fR will support creation on all platforms, the httpd daemon will only accept plain text passwords on Windows and Netware\&. |
||||||
|
@@ -152,10 +161,13 @@ |
||||||
|
When using the \fBcrypt()\fR algorithm, note that only the first 8 characters of the password are used to form the password\&. If the supplied password is longer, the extra characters will be silently discarded\&. |
||||||
|
|
||||||
|
.PP |
||||||
|
-The SHA encryption format does not use salting: for a given password, there is only one encrypted representation\&. The \fBcrypt()\fR and MD5 formats permute the representation by prepending a random salt string, to make dictionary attacks against the passwords more difficult\&. |
||||||
|
+The SHA-1 encryption format does not use salting: for a given password, there is only one encrypted representation\&. The \fBcrypt()\fR and MD5 formats permute the representation by prepending a random salt string, to make dictionary attacks against the passwords more difficult\&. |
||||||
|
+ |
||||||
|
+.PP |
||||||
|
+The SHA-1 and \fBcrypt()\fR formats are insecure by today's standards\&. |
||||||
|
|
||||||
|
.PP |
||||||
|
-The SHA and \fBcrypt()\fR formats are insecure by today's standards\&. |
||||||
|
+The SHA-2-based \fBcrypt()\fR formats (SHA-256 and SHA-512) are supported on most modern Unix systems, and follow the specification at https://www\&.akkadia\&.org/drepper/SHA-crypt\&.txt\&. |
||||||
|
|
||||||
|
.SH "RESTRICTIONS" |
||||||
|
|
||||||
|
--- httpd-2.4.43/support/htpasswd.c.r1861793+ |
||||||
|
+++ httpd-2.4.43/support/htpasswd.c |
||||||
|
@@ -109,17 +109,21 @@ |
||||||
|
"for it." NL |
||||||
|
" -i Read password from stdin without verification (for script usage)." NL |
||||||
|
" -m Force MD5 encryption of the password (default)." NL |
||||||
|
- " -B Force bcrypt encryption of the password (very secure)." NL |
||||||
|
+ " -2 Force SHA-256 crypt() hash of the password (very secure)." NL |
||||||
|
+ " -5 Force SHA-512 crypt() hash of the password (very secure)." NL |
||||||
|
+ " -B Force bcrypt encryption of the password (very secure)." NL |
||||||
|
" -C Set the computing time used for the bcrypt algorithm" NL |
||||||
|
" (higher is more secure but slower, default: %d, valid: 4 to 17)." NL |
||||||
|
+ " -r Set the number of rounds used for the SHA-256, SHA-512 algorithms" NL |
||||||
|
+ " (higher is more secure but slower, default: 5000)." NL |
||||||
|
" -d Force CRYPT encryption of the password (8 chars max, insecure)." NL |
||||||
|
- " -s Force SHA encryption of the password (insecure)." NL |
||||||
|
+ " -s Force SHA-1 encryption of the password (insecure)." NL |
||||||
|
" -p Do not encrypt the password (plaintext, insecure)." NL |
||||||
|
" -D Delete the specified user." NL |
||||||
|
" -v Verify password for the specified user." NL |
||||||
|
"On other systems than Windows and NetWare the '-p' flag will " |
||||||
|
"probably not work." NL |
||||||
|
- "The SHA algorithm does not use a salt and is less secure than the " |
||||||
|
+ "The SHA-1 algorithm does not use a salt and is less secure than the " |
||||||
|
"MD5 algorithm." NL, |
||||||
|
BCRYPT_DEFAULT_COST |
||||||
|
); |
||||||
|
@@ -178,7 +182,7 @@ |
||||||
|
if (rv != APR_SUCCESS) |
||||||
|
exit(ERR_SYNTAX); |
||||||
|
|
||||||
|
- while ((rv = apr_getopt(state, "cnmspdBbDiC:v", &opt, &opt_arg)) == APR_SUCCESS) { |
||||||
|
+ while ((rv = apr_getopt(state, "cnmspdBbDi25C:r:v", &opt, &opt_arg)) == APR_SUCCESS) { |
||||||
|
switch (opt) { |
||||||
|
case 'c': |
||||||
|
*mask |= APHTP_NEWFILE; |
||||||
|
--- httpd-2.4.43/support/passwd_common.c.r1861793+ |
||||||
|
+++ httpd-2.4.43/support/passwd_common.c |
||||||
|
@@ -179,16 +179,21 @@ |
||||||
|
int mkhash(struct passwd_ctx *ctx) |
||||||
|
{ |
||||||
|
char *pw; |
||||||
|
- char salt[16]; |
||||||
|
+ char salt[17]; |
||||||
|
apr_status_t rv; |
||||||
|
int ret = 0; |
||||||
|
#if CRYPT_ALGO_SUPPORTED |
||||||
|
char *cbuf; |
||||||
|
#endif |
||||||
|
+#ifdef HAVE_CRYPT_SHA2 |
||||||
|
+ const char *setting; |
||||||
|
+ char method; |
||||||
|
+#endif |
||||||
|
|
||||||
|
- if (ctx->cost != 0 && ctx->alg != ALG_BCRYPT) { |
||||||
|
+ if (ctx->cost != 0 && ctx->alg != ALG_BCRYPT |
||||||
|
+ && ctx->alg != ALG_CRYPT_SHA256 && ctx->alg != ALG_CRYPT_SHA512 ) { |
||||||
|
apr_file_printf(errfile, |
||||||
|
- "Warning: Ignoring -C argument for this algorithm." NL); |
||||||
|
+ "Warning: Ignoring -C/-r argument for this algorithm." NL); |
||||||
|
} |
||||||
|
|
||||||
|
if (ctx->passwd == NULL) { |
||||||
|
@@ -246,6 +251,34 @@ |
||||||
|
break; |
||||||
|
#endif /* CRYPT_ALGO_SUPPORTED */ |
||||||
|
|
||||||
|
+#ifdef HAVE_CRYPT_SHA2 |
||||||
|
+ case ALG_CRYPT_SHA256: |
||||||
|
+ case ALG_CRYPT_SHA512: |
||||||
|
+ ret = generate_salt(salt, 16, &ctx->errstr, ctx->pool); |
||||||
|
+ if (ret != 0) |
||||||
|
+ break; |
||||||
|
+ |
||||||
|
+ method = ctx->alg == ALG_CRYPT_SHA256 ? '5': '6'; |
||||||
|
+ |
||||||
|
+ if (ctx->cost) |
||||||
|
+ setting = apr_psprintf(ctx->pool, "$%c$rounds=%d$%s", |
||||||
|
+ method, ctx->cost, salt); |
||||||
|
+ else |
||||||
|
+ setting = apr_psprintf(ctx->pool, "$%c$%s", |
||||||
|
+ method, salt); |
||||||
|
+ |
||||||
|
+ cbuf = crypt(pw, setting); |
||||||
|
+ if (cbuf == NULL) { |
||||||
|
+ rv = APR_FROM_OS_ERROR(errno); |
||||||
|
+ ctx->errstr = apr_psprintf(ctx->pool, "crypt() failed: %pm", &rv); |
||||||
|
+ ret = ERR_PWMISMATCH; |
||||||
|
+ break; |
||||||
|
+ } |
||||||
|
+ |
||||||
|
+ apr_cpystrn(ctx->out, cbuf, ctx->out_len - 1); |
||||||
|
+ break; |
||||||
|
+#endif /* HAVE_CRYPT_SHA2 */ |
||||||
|
+ |
||||||
|
#if BCRYPT_ALGO_SUPPORTED |
||||||
|
case ALG_BCRYPT: |
||||||
|
rv = apr_generate_random_bytes((unsigned char*)salt, 16); |
||||||
|
@@ -294,6 +327,19 @@ |
||||||
|
case 's': |
||||||
|
ctx->alg = ALG_APSHA; |
||||||
|
break; |
||||||
|
+#ifdef HAVE_CRYPT_SHA2 |
||||||
|
+ case '2': |
||||||
|
+ ctx->alg = ALG_CRYPT_SHA256; |
||||||
|
+ break; |
||||||
|
+ case '5': |
||||||
|
+ ctx->alg = ALG_CRYPT_SHA512; |
||||||
|
+ break; |
||||||
|
+#else |
||||||
|
+ case '2': |
||||||
|
+ case '5': |
||||||
|
+ ctx->errstr = "SHA-2 crypt() algorithms are not supported on this platform."; |
||||||
|
+ return ERR_ALG_NOT_SUPP; |
||||||
|
+#endif |
||||||
|
case 'p': |
||||||
|
ctx->alg = ALG_PLAIN; |
||||||
|
#if !PLAIN_ALGO_SUPPORTED |
||||||
|
@@ -324,11 +370,12 @@ |
||||||
|
return ERR_ALG_NOT_SUPP; |
||||||
|
#endif |
||||||
|
break; |
||||||
|
- case 'C': { |
||||||
|
+ case 'C': |
||||||
|
+ case 'r': { |
||||||
|
char *endptr; |
||||||
|
long num = strtol(opt_arg, &endptr, 10); |
||||||
|
if (*endptr != '\0' || num <= 0) { |
||||||
|
- ctx->errstr = "argument to -C must be a positive integer"; |
||||||
|
+ ctx->errstr = "argument to -C/-r must be a positive integer"; |
||||||
|
return ERR_SYNTAX; |
||||||
|
} |
||||||
|
ctx->cost = num; |
||||||
|
--- httpd-2.4.43/support/passwd_common.h.r1861793+ |
||||||
|
+++ httpd-2.4.43/support/passwd_common.h |
||||||
|
@@ -28,6 +28,8 @@ |
||||||
|
#include "apu_version.h" |
||||||
|
#endif |
||||||
|
|
||||||
|
+#include "ap_config_auto.h" |
||||||
|
+ |
||||||
|
#define MAX_STRING_LEN 256 |
||||||
|
|
||||||
|
#define ALG_PLAIN 0 |
||||||
|
@@ -35,6 +37,8 @@ |
||||||
|
#define ALG_APMD5 2 |
||||||
|
#define ALG_APSHA 3 |
||||||
|
#define ALG_BCRYPT 4 |
||||||
|
+#define ALG_CRYPT_SHA256 5 |
||||||
|
+#define ALG_CRYPT_SHA512 6 |
||||||
|
|
||||||
|
#define BCRYPT_DEFAULT_COST 5 |
||||||
|
|
||||||
|
@@ -84,7 +88,7 @@ |
||||||
|
apr_size_t out_len; |
||||||
|
char *passwd; |
||||||
|
int alg; |
||||||
|
- int cost; |
||||||
|
+ int cost; /* cost for bcrypt, rounds for SHA-2 */ |
||||||
|
enum { |
||||||
|
PW_PROMPT = 0, |
||||||
|
PW_ARG, |
@ -0,0 +1,300 @@ |
|||||||
|
diff --git a/server/listen.c b/server/listen.c |
||||||
|
index 5242c2a..e2e028a 100644 |
||||||
|
--- a/server/listen.c |
||||||
|
+++ b/server/listen.c |
||||||
|
@@ -34,6 +34,10 @@ |
||||||
|
#include <unistd.h> |
||||||
|
#endif |
||||||
|
|
||||||
|
+#ifdef HAVE_SYSTEMD |
||||||
|
+#include <systemd/sd-daemon.h> |
||||||
|
+#endif |
||||||
|
+ |
||||||
|
/* we know core's module_index is 0 */ |
||||||
|
#undef APLOG_MODULE_INDEX |
||||||
|
#define APLOG_MODULE_INDEX AP_CORE_MODULE_INDEX |
||||||
|
@@ -59,9 +63,12 @@ static int ap_listenbacklog; |
||||||
|
static int ap_listencbratio; |
||||||
|
static int send_buffer_size; |
||||||
|
static int receive_buffer_size; |
||||||
|
+#ifdef HAVE_SYSTEMD |
||||||
|
+static int use_systemd = -1; |
||||||
|
+#endif |
||||||
|
|
||||||
|
/* TODO: make_sock is just begging and screaming for APR abstraction */ |
||||||
|
-static apr_status_t make_sock(apr_pool_t *p, ap_listen_rec *server) |
||||||
|
+static apr_status_t make_sock(apr_pool_t *p, ap_listen_rec *server, int do_bind_listen) |
||||||
|
{ |
||||||
|
apr_socket_t *s = server->sd; |
||||||
|
int one = 1; |
||||||
|
@@ -94,20 +101,6 @@ static apr_status_t make_sock(apr_pool_t *p, ap_listen_rec *server) |
||||||
|
return stat; |
||||||
|
} |
||||||
|
|
||||||
|
-#if APR_HAVE_IPV6 |
||||||
|
- if (server->bind_addr->family == APR_INET6) { |
||||||
|
- stat = apr_socket_opt_set(s, APR_IPV6_V6ONLY, v6only_setting); |
||||||
|
- if (stat != APR_SUCCESS && stat != APR_ENOTIMPL) { |
||||||
|
- ap_log_perror(APLOG_MARK, APLOG_CRIT, stat, p, APLOGNO(00069) |
||||||
|
- "make_sock: for address %pI, apr_socket_opt_set: " |
||||||
|
- "(IPV6_V6ONLY)", |
||||||
|
- server->bind_addr); |
||||||
|
- apr_socket_close(s); |
||||||
|
- return stat; |
||||||
|
- } |
||||||
|
- } |
||||||
|
-#endif |
||||||
|
- |
||||||
|
/* |
||||||
|
* To send data over high bandwidth-delay connections at full |
||||||
|
* speed we must force the TCP window to open wide enough to keep the |
||||||
|
@@ -169,21 +162,37 @@ static apr_status_t make_sock(apr_pool_t *p, ap_listen_rec *server) |
||||||
|
} |
||||||
|
#endif |
||||||
|
|
||||||
|
- if ((stat = apr_socket_bind(s, server->bind_addr)) != APR_SUCCESS) { |
||||||
|
- ap_log_perror(APLOG_MARK, APLOG_STARTUP|APLOG_CRIT, stat, p, APLOGNO(00072) |
||||||
|
- "make_sock: could not bind to address %pI", |
||||||
|
- server->bind_addr); |
||||||
|
- apr_socket_close(s); |
||||||
|
- return stat; |
||||||
|
- } |
||||||
|
+ if (do_bind_listen) { |
||||||
|
+#if APR_HAVE_IPV6 |
||||||
|
+ if (server->bind_addr->family == APR_INET6) { |
||||||
|
+ stat = apr_socket_opt_set(s, APR_IPV6_V6ONLY, v6only_setting); |
||||||
|
+ if (stat != APR_SUCCESS && stat != APR_ENOTIMPL) { |
||||||
|
+ ap_log_perror(APLOG_MARK, APLOG_CRIT, stat, p, APLOGNO(00069) |
||||||
|
+ "make_sock: for address %pI, apr_socket_opt_set: " |
||||||
|
+ "(IPV6_V6ONLY)", |
||||||
|
+ server->bind_addr); |
||||||
|
+ apr_socket_close(s); |
||||||
|
+ return stat; |
||||||
|
+ } |
||||||
|
+ } |
||||||
|
+#endif |
||||||
|
|
||||||
|
- if ((stat = apr_socket_listen(s, ap_listenbacklog)) != APR_SUCCESS) { |
||||||
|
- ap_log_perror(APLOG_MARK, APLOG_STARTUP|APLOG_ERR, stat, p, APLOGNO(00073) |
||||||
|
- "make_sock: unable to listen for connections " |
||||||
|
- "on address %pI", |
||||||
|
- server->bind_addr); |
||||||
|
- apr_socket_close(s); |
||||||
|
- return stat; |
||||||
|
+ if ((stat = apr_socket_bind(s, server->bind_addr)) != APR_SUCCESS) { |
||||||
|
+ ap_log_perror(APLOG_MARK, APLOG_STARTUP|APLOG_CRIT, stat, p, APLOGNO(00072) |
||||||
|
+ "make_sock: could not bind to address %pI", |
||||||
|
+ server->bind_addr); |
||||||
|
+ apr_socket_close(s); |
||||||
|
+ return stat; |
||||||
|
+ } |
||||||
|
+ |
||||||
|
+ if ((stat = apr_socket_listen(s, ap_listenbacklog)) != APR_SUCCESS) { |
||||||
|
+ ap_log_perror(APLOG_MARK, APLOG_STARTUP|APLOG_ERR, stat, p, APLOGNO(00073) |
||||||
|
+ "make_sock: unable to listen for connections " |
||||||
|
+ "on address %pI", |
||||||
|
+ server->bind_addr); |
||||||
|
+ apr_socket_close(s); |
||||||
|
+ return stat; |
||||||
|
+ } |
||||||
|
} |
||||||
|
|
||||||
|
#ifdef WIN32 |
||||||
|
@@ -315,6 +324,123 @@ static int find_listeners(ap_listen_rec **from, ap_listen_rec **to, |
||||||
|
return found; |
||||||
|
} |
||||||
|
|
||||||
|
+#ifdef HAVE_SYSTEMD |
||||||
|
+ |
||||||
|
+static int find_systemd_socket(process_rec * process, apr_port_t port) { |
||||||
|
+ int fdcount, fd; |
||||||
|
+ int sdc = sd_listen_fds(0); |
||||||
|
+ |
||||||
|
+ if (sdc < 0) { |
||||||
|
+ ap_log_perror(APLOG_MARK, APLOG_CRIT, sdc, process->pool, APLOGNO(02486) |
||||||
|
+ "find_systemd_socket: Error parsing enviroment, sd_listen_fds returned %d", |
||||||
|
+ sdc); |
||||||
|
+ return -1; |
||||||
|
+ } |
||||||
|
+ |
||||||
|
+ if (sdc == 0) { |
||||||
|
+ ap_log_perror(APLOG_MARK, APLOG_CRIT, sdc, process->pool, APLOGNO(02487) |
||||||
|
+ "find_systemd_socket: At least one socket must be set."); |
||||||
|
+ return -1; |
||||||
|
+ } |
||||||
|
+ |
||||||
|
+ fdcount = atoi(getenv("LISTEN_FDS")); |
||||||
|
+ for (fd = SD_LISTEN_FDS_START; fd < SD_LISTEN_FDS_START + fdcount; fd++) { |
||||||
|
+ if (sd_is_socket_inet(fd, 0, 0, -1, port) > 0) { |
||||||
|
+ return fd; |
||||||
|
+ } |
||||||
|
+ } |
||||||
|
+ |
||||||
|
+ return -1; |
||||||
|
+} |
||||||
|
+ |
||||||
|
+static apr_status_t alloc_systemd_listener(process_rec * process, |
||||||
|
+ int fd, const char *proto, |
||||||
|
+ ap_listen_rec **out_rec) |
||||||
|
+{ |
||||||
|
+ apr_status_t rv; |
||||||
|
+ struct sockaddr sa; |
||||||
|
+ socklen_t len = sizeof(struct sockaddr); |
||||||
|
+ apr_os_sock_info_t si; |
||||||
|
+ ap_listen_rec *rec; |
||||||
|
+ *out_rec = NULL; |
||||||
|
+ |
||||||
|
+ memset(&si, 0, sizeof(si)); |
||||||
|
+ |
||||||
|
+ rv = getsockname(fd, &sa, &len); |
||||||
|
+ |
||||||
|
+ if (rv != 0) { |
||||||
|
+ rv = apr_get_netos_error(); |
||||||
|
+ ap_log_perror(APLOG_MARK, APLOG_CRIT, rv, process->pool, APLOGNO(02489) |
||||||
|
+ "getsockname on %d failed.", fd); |
||||||
|
+ return rv; |
||||||
|
+ } |
||||||
|
+ |
||||||
|
+ si.os_sock = &fd; |
||||||
|
+ si.family = sa.sa_family; |
||||||
|
+ si.local = &sa; |
||||||
|
+ si.type = SOCK_STREAM; |
||||||
|
+ si.protocol = APR_PROTO_TCP; |
||||||
|
+ |
||||||
|
+ rec = apr_palloc(process->pool, sizeof(ap_listen_rec)); |
||||||
|
+ rec->active = 0; |
||||||
|
+ rec->next = 0; |
||||||
|
+ |
||||||
|
+ |
||||||
|
+ rv = apr_os_sock_make(&rec->sd, &si, process->pool); |
||||||
|
+ if (rv != APR_SUCCESS) { |
||||||
|
+ ap_log_perror(APLOG_MARK, APLOG_CRIT, rv, process->pool, APLOGNO(02490) |
||||||
|
+ "apr_os_sock_make on %d failed.", fd); |
||||||
|
+ return rv; |
||||||
|
+ } |
||||||
|
+ |
||||||
|
+ rv = apr_socket_addr_get(&rec->bind_addr, APR_LOCAL, rec->sd); |
||||||
|
+ if (rv != APR_SUCCESS) { |
||||||
|
+ ap_log_perror(APLOG_MARK, APLOG_CRIT, rv, process->pool, APLOGNO(02491) |
||||||
|
+ "apr_socket_addr_get on %d failed.", fd); |
||||||
|
+ return rv; |
||||||
|
+ } |
||||||
|
+ |
||||||
|
+ rec->protocol = apr_pstrdup(process->pool, proto); |
||||||
|
+ |
||||||
|
+ *out_rec = rec; |
||||||
|
+ |
||||||
|
+ return make_sock(process->pool, rec, 0); |
||||||
|
+} |
||||||
|
+ |
||||||
|
+static const char *set_systemd_listener(process_rec *process, apr_port_t port, |
||||||
|
+ const char *proto) |
||||||
|
+{ |
||||||
|
+ ap_listen_rec *last, *new; |
||||||
|
+ apr_status_t rv; |
||||||
|
+ int fd = find_systemd_socket(process, port); |
||||||
|
+ if (fd < 0) { |
||||||
|
+ return "Systemd socket activation is used, but this port is not " |
||||||
|
+ "configured in systemd"; |
||||||
|
+ } |
||||||
|
+ |
||||||
|
+ last = ap_listeners; |
||||||
|
+ while (last && last->next) { |
||||||
|
+ last = last->next; |
||||||
|
+ } |
||||||
|
+ |
||||||
|
+ rv = alloc_systemd_listener(process, fd, proto, &new); |
||||||
|
+ if (rv != APR_SUCCESS) { |
||||||
|
+ return "Failed to setup socket passed by systemd using socket activation"; |
||||||
|
+ } |
||||||
|
+ |
||||||
|
+ if (last == NULL) { |
||||||
|
+ ap_listeners = last = new; |
||||||
|
+ } |
||||||
|
+ else { |
||||||
|
+ last->next = new; |
||||||
|
+ last = new; |
||||||
|
+ } |
||||||
|
+ |
||||||
|
+ return NULL; |
||||||
|
+} |
||||||
|
+ |
||||||
|
+#endif /* HAVE_SYSTEMD */ |
||||||
|
+ |
||||||
|
static const char *alloc_listener(process_rec *process, const char *addr, |
||||||
|
apr_port_t port, const char* proto, |
||||||
|
void *slave) |
||||||
|
@@ -495,7 +621,7 @@ static int open_listeners(apr_pool_t *pool) |
||||||
|
} |
||||||
|
} |
||||||
|
#endif |
||||||
|
- if (make_sock(pool, lr) == APR_SUCCESS) { |
||||||
|
+ if (make_sock(pool, lr, 1) == APR_SUCCESS) { |
||||||
|
++num_open; |
||||||
|
} |
||||||
|
else { |
||||||
|
@@ -607,8 +733,28 @@ AP_DECLARE(int) ap_setup_listeners(server_rec *s) |
||||||
|
} |
||||||
|
} |
||||||
|
|
||||||
|
- if (open_listeners(s->process->pool)) { |
||||||
|
- return 0; |
||||||
|
+#ifdef HAVE_SYSTEMD |
||||||
|
+ if (use_systemd) { |
||||||
|
+ const char *userdata_key = "ap_open_systemd_listeners"; |
||||||
|
+ void *data; |
||||||
|
+ /* clear the enviroment on our second run |
||||||
|
+ * so that none of our future children get confused. |
||||||
|
+ */ |
||||||
|
+ apr_pool_userdata_get(&data, userdata_key, s->process->pool); |
||||||
|
+ if (!data) { |
||||||
|
+ apr_pool_userdata_set((const void *)1, userdata_key, |
||||||
|
+ apr_pool_cleanup_null, s->process->pool); |
||||||
|
+ } |
||||||
|
+ else { |
||||||
|
+ sd_listen_fds(1); |
||||||
|
+ } |
||||||
|
+ } |
||||||
|
+ else |
||||||
|
+#endif |
||||||
|
+ { |
||||||
|
+ if (open_listeners(s->process->pool)) { |
||||||
|
+ return 0; |
||||||
|
+ } |
||||||
|
} |
||||||
|
|
||||||
|
for (lr = ap_listeners; lr; lr = lr->next) { |
||||||
|
@@ -698,7 +844,7 @@ AP_DECLARE(apr_status_t) ap_duplicate_listeners(apr_pool_t *p, server_rec *s, |
||||||
|
duplr->bind_addr); |
||||||
|
return stat; |
||||||
|
} |
||||||
|
- make_sock(p, duplr); |
||||||
|
+ make_sock(p, duplr, 1); |
||||||
|
#if AP_NONBLOCK_WHEN_MULTI_LISTEN |
||||||
|
use_nonblock = (ap_listeners && ap_listeners->next); |
||||||
|
stat = apr_socket_opt_set(duplr->sd, APR_SO_NONBLOCK, use_nonblock); |
||||||
|
@@ -825,6 +971,11 @@ AP_DECLARE_NONSTD(const char *) ap_set_listener(cmd_parms *cmd, void *dummy, |
||||||
|
if (argc < 1 || argc > 2) { |
||||||
|
return "Listen requires 1 or 2 arguments."; |
||||||
|
} |
||||||
|
+#ifdef HAVE_SYSTEMD |
||||||
|
+ if (use_systemd == -1) { |
||||||
|
+ use_systemd = sd_listen_fds(0) > 0; |
||||||
|
+ } |
||||||
|
+#endif |
||||||
|
|
||||||
|
rv = apr_parse_addr_port(&host, &scope_id, &port, argv[0], cmd->pool); |
||||||
|
if (rv != APR_SUCCESS) { |
||||||
|
@@ -856,6 +1007,12 @@ AP_DECLARE_NONSTD(const char *) ap_set_listener(cmd_parms *cmd, void *dummy, |
||||||
|
ap_str_tolower(proto); |
||||||
|
} |
||||||
|
|
||||||
|
+#ifdef HAVE_SYSTEMD |
||||||
|
+ if (use_systemd) { |
||||||
|
+ return set_systemd_listener(cmd->server->process, port, proto); |
||||||
|
+ } |
||||||
|
+#endif |
||||||
|
+ |
||||||
|
return alloc_listener(cmd->server->process, host, port, proto, NULL); |
||||||
|
} |
||||||
|
|
@ -0,0 +1,31 @@ |
|||||||
|
diff --git a/modules/ssl/ssl_engine_config.c b/modules/ssl/ssl_engine_config.c |
||||||
|
index 97778a8..27e7a53 100644 |
||||||
|
--- a/modules/ssl/ssl_engine_config.c |
||||||
|
+++ b/modules/ssl/ssl_engine_config.c |
||||||
|
@@ -778,9 +778,11 @@ const char *ssl_cmd_SSLCipherSuite(cmd_parms *cmd, |
||||||
|
} |
||||||
|
|
||||||
|
if (!strcmp("SSL", arg1)) { |
||||||
|
- /* always disable null and export ciphers */ |
||||||
|
- arg2 = apr_pstrcat(cmd->pool, arg2, ":!aNULL:!eNULL:!EXP", NULL); |
||||||
|
if (cmd->path) { |
||||||
|
+ /* Disable null and export ciphers by default, except for PROFILE= |
||||||
|
+ * configs where the parser doesn't cope. */ |
||||||
|
+ if (strncmp(arg2, "PROFILE=", 8) != 0) |
||||||
|
+ arg2 = apr_pstrcat(cmd->pool, arg2, ":!aNULL:!eNULL:!EXP", NULL); |
||||||
|
dc->szCipherSuite = arg2; |
||||||
|
} |
||||||
|
else { |
||||||
|
@@ -1544,8 +1546,10 @@ const char *ssl_cmd_SSLProxyCipherSuite(cmd_parms *cmd, |
||||||
|
} |
||||||
|
|
||||||
|
if (!strcmp("SSL", arg1)) { |
||||||
|
- /* always disable null and export ciphers */ |
||||||
|
- arg2 = apr_pstrcat(cmd->pool, arg2, ":!aNULL:!eNULL:!EXP", NULL); |
||||||
|
+ /* Disable null and export ciphers by default, except for PROFILE= |
||||||
|
+ * configs where the parser doesn't cope. */ |
||||||
|
+ if (strncmp(arg2, "PROFILE=", 8) != 0) |
||||||
|
+ arg2 = apr_pstrcat(cmd->pool, arg2, ":!aNULL:!eNULL:!EXP", NULL); |
||||||
|
dc->proxy->auth.cipher_suite = arg2; |
||||||
|
return NULL; |
||||||
|
} |
@ -0,0 +1,99 @@ |
|||||||
|
diff --git a/modules/ssl/ssl_engine_config.c b/modules/ssl/ssl_engine_config.c |
||||||
|
index 27e7a53..b53f3f8 100644 |
||||||
|
--- a/modules/ssl/ssl_engine_config.c |
||||||
|
+++ b/modules/ssl/ssl_engine_config.c |
||||||
|
@@ -119,7 +119,7 @@ static void modssl_ctx_init(modssl_ctx_t *mctx, apr_pool_t *p) |
||||||
|
mctx->ticket_key = NULL; |
||||||
|
#endif |
||||||
|
|
||||||
|
- mctx->protocol = SSL_PROTOCOL_DEFAULT; |
||||||
|
+ mctx->protocol = SSL_PROTOCOL_NONE; |
||||||
|
mctx->protocol_set = 0; |
||||||
|
|
||||||
|
mctx->pphrase_dialog_type = SSL_PPTYPE_UNSET; |
||||||
|
@@ -263,6 +263,7 @@ static void modssl_ctx_cfg_merge(apr_pool_t *p, |
||||||
|
if (add->protocol_set) { |
||||||
|
mrg->protocol_set = 1; |
||||||
|
mrg->protocol = add->protocol; |
||||||
|
+ mrg->protocol_set = 1; |
||||||
|
} |
||||||
|
else { |
||||||
|
mrg->protocol_set = base->protocol_set; |
||||||
|
|
||||||
|
diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c |
||||||
|
index bfad47a..b0fcf81 100644 |
||||||
|
--- a/modules/ssl/ssl_engine_init.c |
||||||
|
+++ b/modules/ssl/ssl_engine_init.c |
||||||
|
@@ -577,6 +577,7 @@ static apr_status_t ssl_init_ctx_protocol(server_rec *s, |
||||||
|
MODSSL_SSL_METHOD_CONST SSL_METHOD *method = NULL; |
||||||
|
char *cp; |
||||||
|
int protocol = mctx->protocol; |
||||||
|
+ int protocol_set = mctx->protocol_set; |
||||||
|
SSLSrvConfigRec *sc = mySrvConfig(s); |
||||||
|
#if OPENSSL_VERSION_NUMBER >= 0x10100000L |
||||||
|
int prot; |
||||||
|
@@ -586,12 +587,18 @@ static apr_status_t ssl_init_ctx_protocol(server_rec *s, |
||||||
|
* Create the new per-server SSL context |
||||||
|
*/ |
||||||
|
if (protocol == SSL_PROTOCOL_NONE) { |
||||||
|
- ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(02231) |
||||||
|
- "No SSL protocols available [hint: SSLProtocol]"); |
||||||
|
- return ssl_die(s); |
||||||
|
- } |
||||||
|
+ if (protocol_set) { |
||||||
|
+ ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(02231) |
||||||
|
+ "No SSL protocols available [hint: SSLProtocol]"); |
||||||
|
+ return ssl_die(s); |
||||||
|
+ } |
||||||
|
|
||||||
|
- cp = apr_pstrcat(p, |
||||||
|
+ ap_log_error(APLOG_MARK, APLOG_TRACE3, 0, s, |
||||||
|
+ "Using OpenSSL/system default SSL/TLS protocols"); |
||||||
|
+ cp = "default"; |
||||||
|
+ } |
||||||
|
+ else { |
||||||
|
+ cp = apr_pstrcat(p, |
||||||
|
#ifndef OPENSSL_NO_SSL3 |
||||||
|
(protocol & SSL_PROTOCOL_SSLV3 ? "SSLv3, " : ""), |
||||||
|
#endif |
||||||
|
@@ -604,7 +611,8 @@ static apr_status_t ssl_init_ctx_protocol(server_rec *s, |
||||||
|
#endif |
||||||
|
#endif |
||||||
|
NULL); |
||||||
|
- cp[strlen(cp)-2] = NUL; |
||||||
|
+ cp[strlen(cp)-2] = NUL; |
||||||
|
+ } |
||||||
|
|
||||||
|
ap_log_error(APLOG_MARK, APLOG_TRACE3, 0, s, |
||||||
|
"Creating new SSL context (protocols: %s)", cp); |
||||||
|
@@ -705,13 +713,15 @@ static apr_status_t ssl_init_ctx_protocol(server_rec *s, |
||||||
|
prot = SSL3_VERSION; |
||||||
|
#endif |
||||||
|
} else { |
||||||
|
- SSL_CTX_free(ctx); |
||||||
|
- mctx->ssl_ctx = NULL; |
||||||
|
- ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(03378) |
||||||
|
- "No SSL protocols available [hint: SSLProtocol]"); |
||||||
|
- return ssl_die(s); |
||||||
|
+ if (protocol_set) { |
||||||
|
+ SSL_CTX_free(ctx); |
||||||
|
+ mctx->ssl_ctx = NULL; |
||||||
|
+ ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(03378) |
||||||
|
+ "No SSL protocols available [hint: SSLProtocol]"); |
||||||
|
+ return ssl_die(s); |
||||||
|
+ } |
||||||
|
} |
||||||
|
- SSL_CTX_set_max_proto_version(ctx, prot); |
||||||
|
+ if (protocol != SSL_PROTOCOL_NONE) SSL_CTX_set_max_proto_version(ctx, prot); |
||||||
|
|
||||||
|
/* Next we scan for the minimal protocol version we should provide, |
||||||
|
* but we do not allow holes between max and min */ |
||||||
|
@@ -731,7 +741,7 @@ static apr_status_t ssl_init_ctx_protocol(server_rec *s, |
||||||
|
prot = SSL3_VERSION; |
||||||
|
} |
||||||
|
#endif |
||||||
|
- SSL_CTX_set_min_proto_version(ctx, prot); |
||||||
|
+ if (protocol != SSL_PROTOCOL_NONE) SSL_CTX_set_min_proto_version(ctx, prot); |
||||||
|
#endif /* if OPENSSL_VERSION_NUMBER < 0x10100000L */ |
||||||
|
|
||||||
|
#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE |
@ -0,0 +1,124 @@ |
|||||||
|
diff --git a/docs/manual/mod/mpm_common.html.en b/docs/manual/mod/mpm_common.html.en |
||||||
|
index e7af21d..01d54b7 100644 |
||||||
|
--- a/docs/manual/mod/mpm_common.html.en |
||||||
|
+++ b/docs/manual/mod/mpm_common.html.en |
||||||
|
@@ -42,6 +42,7 @@ more than one multi-processing module (MPM)</td></tr> |
||||||
|
<li><img alt="" src="../images/down.gif" /> <a href="#enableexceptionhook">EnableExceptionHook</a></li> |
||||||
|
<li><img alt="" src="../images/down.gif" /> <a href="#gracefulshutdowntimeout">GracefulShutdownTimeout</a></li> |
||||||
|
<li><img alt="" src="../images/down.gif" /> <a href="#listen">Listen</a></li> |
||||||
|
+<li><img alt="" src="../images/down.gif" /> <a href="#listenfree">ListenFree</a></li> |
||||||
|
<li><img alt="" src="../images/down.gif" /> <a href="#listenbacklog">ListenBackLog</a></li> |
||||||
|
<li><img alt="" src="../images/down.gif" /> <a href="#listencoresbucketsratio">ListenCoresBucketsRatio</a></li> |
||||||
|
<li><img alt="" src="../images/down.gif" /> <a href="#maxconnectionsperchild">MaxConnectionsPerChild</a></li> |
||||||
|
@@ -244,6 +245,31 @@ discussion of the <code>Address already in use</code> error message, |
||||||
|
including other causes.</a></li> |
||||||
|
</ul> |
||||||
|
</div> |
||||||
|
+ |
||||||
|
+<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div> |
||||||
|
+<div class="directive-section"><h2><a name="ListenFree" id="ListenFree">ListenFree</a> <a name="listenfree" id="listenfree">Directive</a></h2> |
||||||
|
+<table class="directive"> |
||||||
|
+<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>IP addresses and ports that the server |
||||||
|
+listens to. Doesn't require IP address to be up</td></tr> |
||||||
|
+<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>ListenFree [<var>IP-address</var>:]<var>portnumber</var> [<var>protocol</var>]</code></td></tr> |
||||||
|
+<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config</td></tr> |
||||||
|
+<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>MPM</td></tr> |
||||||
|
+<tr><th><a href="directive-dict.html#Module">Module:</a></th><td><code class="module"><a href="../mod/event.html">event</a></code>, <code class="module"><a href="../mod/worker.html">worker</a></code>, <code class="module"><a href="../mod/prefork.html">prefork</a></code>, <code class="module"><a href="../mod/mpm_winnt.html">mpm_winnt</a></code>, <code class="module"><a href="../mod/mpm_netware.html">mpm_netware</a></code>, <code class="module"><a href="../mod/mpmt_os2.html">mpmt_os2</a></code></td></tr> |
||||||
|
+<tr><th><a href="directive-dict.html#Compatibility">Compatibility:</a></th><td>This directive is currently available only in Red Hat Enterprise Linux</td></tr> |
||||||
|
+</table> |
||||||
|
+ <p>The <code class="directive">ListenFree</code> directive is |
||||||
|
+ identical to the <code class="directive">Listen</code> directive. |
||||||
|
+ The only difference is in the usage of the IP_FREEBIND socket |
||||||
|
+ option, which is enabled by default with <code class="directive">ListenFree</code>. |
||||||
|
+ If IP_FREEBIND is enabled, it allows httpd to bind to an IP |
||||||
|
+ address that is nonlocal or does not (yet) exist. This allows httpd to |
||||||
|
+ listen on a socket without requiring the underlying network interface |
||||||
|
+ or the specified dynamic IP address to be up at the time when httpd |
||||||
|
+ is trying to bind to it. |
||||||
|
+ </p> |
||||||
|
+</div> |
||||||
|
+ |
||||||
|
+ |
||||||
|
<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div> |
||||||
|
<div class="directive-section"><h2><a name="ListenBackLog" id="ListenBackLog">ListenBackLog</a> <a name="listenbacklog" id="listenbacklog">Directive</a></h2> |
||||||
|
<table class="directive"> |
||||||
|
diff --git a/include/ap_listen.h b/include/ap_listen.h |
||||||
|
index 58c2574..1a53292 100644 |
||||||
|
--- a/include/ap_listen.h |
||||||
|
+++ b/include/ap_listen.h |
||||||
|
@@ -137,6 +137,9 @@ AP_DECLARE_NONSTD(const char *) ap_set_listenbacklog(cmd_parms *cmd, void *dummy |
||||||
|
AP_DECLARE_NONSTD(const char *) ap_set_listencbratio(cmd_parms *cmd, void *dummy, const char *arg); |
||||||
|
AP_DECLARE_NONSTD(const char *) ap_set_listener(cmd_parms *cmd, void *dummy, |
||||||
|
int argc, char *const argv[]); |
||||||
|
+AP_DECLARE_NONSTD(const char *) ap_set_freelistener(cmd_parms *cmd, void *dummy, |
||||||
|
+ int argc, char *const argv[]); |
||||||
|
+ |
||||||
|
AP_DECLARE_NONSTD(const char *) ap_set_send_buffer_size(cmd_parms *cmd, void *dummy, |
||||||
|
const char *arg); |
||||||
|
AP_DECLARE_NONSTD(const char *) ap_set_receive_buffer_size(cmd_parms *cmd, |
||||||
|
@@ -150,6 +153,8 @@ AP_INIT_TAKE1("ListenCoresBucketsRatio", ap_set_listencbratio, NULL, RSRC_CONF, |
||||||
|
"Ratio between the number of CPU cores (online) and the number of listeners buckets"), \ |
||||||
|
AP_INIT_TAKE_ARGV("Listen", ap_set_listener, NULL, RSRC_CONF, \ |
||||||
|
"A port number or a numeric IP address and a port number, and an optional protocol"), \ |
||||||
|
+AP_INIT_TAKE_ARGV("ListenFree", ap_set_freelistener, NULL, RSRC_CONF, \ |
||||||
|
+ "A port number or a numeric IP address and a port number, and an optional protocol"), \ |
||||||
|
AP_INIT_TAKE1("SendBufferSize", ap_set_send_buffer_size, NULL, RSRC_CONF, \ |
||||||
|
"Send buffer size in bytes"), \ |
||||||
|
AP_INIT_TAKE1("ReceiveBufferSize", ap_set_receive_buffer_size, NULL, \ |
||||||
|
diff --git a/server/listen.c b/server/listen.c |
||||||
|
index e2e028a..6ef664b 100644 |
||||||
|
--- a/server/listen.c |
||||||
|
+++ b/server/listen.c |
||||||
|
@@ -63,6 +63,7 @@ static int ap_listenbacklog; |
||||||
|
static int ap_listencbratio; |
||||||
|
static int send_buffer_size; |
||||||
|
static int receive_buffer_size; |
||||||
|
+static int ap_listenfreebind; |
||||||
|
#ifdef HAVE_SYSTEMD |
||||||
|
static int use_systemd = -1; |
||||||
|
#endif |
||||||
|
@@ -162,6 +163,21 @@ static apr_status_t make_sock(apr_pool_t *p, ap_listen_rec *server, int do_bind_ |
||||||
|
} |
||||||
|
#endif |
||||||
|
|
||||||
|
+ |
||||||
|
+#if defined(APR_SO_FREEBIND) |
||||||
|
+ if (ap_listenfreebind) { |
||||||
|
+ if (apr_socket_opt_set(s, APR_SO_FREEBIND, one) < 0) { |
||||||
|
+ stat = apr_get_netos_error(); |
||||||
|
+ ap_log_perror(APLOG_MARK, APLOG_CRIT, stat, p, APLOGNO(02182) |
||||||
|
+ "make_sock: apr_socket_opt_set: " |
||||||
|
+ "error setting APR_SO_FREEBIND"); |
||||||
|
+ apr_socket_close(s); |
||||||
|
+ return stat; |
||||||
|
+ } |
||||||
|
+ } |
||||||
|
+#endif |
||||||
|
+ |
||||||
|
+ |
||||||
|
if (do_bind_listen) { |
||||||
|
#if APR_HAVE_IPV6 |
||||||
|
if (server->bind_addr->family == APR_INET6) { |
||||||
|
@@ -956,6 +972,7 @@ AP_DECLARE(void) ap_listen_pre_config(void) |
||||||
|
} |
||||||
|
} |
||||||
|
|
||||||
|
+ |
||||||
|
AP_DECLARE_NONSTD(const char *) ap_set_listener(cmd_parms *cmd, void *dummy, |
||||||
|
int argc, char *const argv[]) |
||||||
|
{ |
||||||
|
@@ -1016,6 +1033,14 @@ AP_DECLARE_NONSTD(const char *) ap_set_listener(cmd_parms *cmd, void *dummy, |
||||||
|
return alloc_listener(cmd->server->process, host, port, proto, NULL); |
||||||
|
} |
||||||
|
|
||||||
|
+AP_DECLARE_NONSTD(const char *) ap_set_freelistener(cmd_parms *cmd, void *dummy, |
||||||
|
+ int argc, |
||||||
|
+ char *const argv[]) |
||||||
|
+{ |
||||||
|
+ ap_listenfreebind = 1; |
||||||
|
+ return ap_set_listener(cmd, dummy, argc, argv); |
||||||
|
+} |
||||||
|
+ |
||||||
|
AP_DECLARE_NONSTD(const char *) ap_set_listenbacklog(cmd_parms *cmd, |
||||||
|
void *dummy, |
||||||
|
const char *arg) |
@ -0,0 +1,13 @@ |
|||||||
|
diff --git a/support/htcacheclean.c b/support/htcacheclean.c |
||||||
|
index 958ba6d..0a7fe3c 100644 |
||||||
|
--- a/support/htcacheclean.c |
||||||
|
+++ b/support/htcacheclean.c |
||||||
|
@@ -557,8 +557,6 @@ static int list_urls(char *path, apr_pool_t *pool, apr_off_t round) |
||||||
|
} |
||||||
|
} |
||||||
|
} |
||||||
|
- |
||||||
|
- break; |
||||||
|
} |
||||||
|
} |
||||||
|
} |
@ -0,0 +1,63 @@ |
|||||||
|
|
||||||
|
Reduce size of httpd binary by telling linker to export all symbols |
||||||
|
from libmain.a, rather than bloating the symbol table with ap_hack_* |
||||||
|
to do so indirectly. |
||||||
|
|
||||||
|
Upstream: https://svn.apache.org/r1861685 (as new default-off configure option) |
||||||
|
|
||||||
|
diff --git a/Makefile.in b/Makefile.in |
||||||
|
index 40c7076..ac98e5f 100644 |
||||||
|
--- a/Makefile.in |
||||||
|
+++ b/Makefile.in |
||||||
|
@@ -4,8 +4,15 @@ CLEAN_SUBDIRS = test |
||||||
|
|
||||||
|
PROGRAM_NAME = $(progname) |
||||||
|
PROGRAM_SOURCES = modules.c |
||||||
|
-PROGRAM_LDADD = buildmark.o $(HTTPD_LDFLAGS) $(PROGRAM_DEPENDENCIES) $(HTTPD_LIBS) $(EXTRA_LIBS) $(AP_LIBS) $(LIBS) |
||||||
|
+PROGRAM_LDADD = buildmark.o $(HTTPD_LDFLAGS) \ |
||||||
|
+ $(PROGRAM_LDDEPS) \ |
||||||
|
+ $(HTTPD_LIBS) $(EXTRA_LIBS) $(AP_LIBS) $(LIBS) |
||||||
|
PROGRAM_PRELINK = $(COMPILE) -c $(top_srcdir)/server/buildmark.c |
||||||
|
+PROGRAM_LDDEPS = \ |
||||||
|
+ $(BUILTIN_LIBS) \ |
||||||
|
+ $(MPM_LIB) \ |
||||||
|
+ -Wl,--whole-archive,server/.libs/libmain.a,--no-whole-archive \ |
||||||
|
+ os/$(OS_DIR)/libos.la |
||||||
|
PROGRAM_DEPENDENCIES = \ |
||||||
|
server/libmain.la \ |
||||||
|
$(BUILTIN_LIBS) \ |
||||||
|
diff --git a/server/Makefile.in b/server/Makefile.in |
||||||
|
index 8111877..f00bb3f 100644 |
||||||
|
--- a/server/Makefile.in |
||||||
|
+++ b/server/Makefile.in |
||||||
|
@@ -12,7 +12,7 @@ LTLIBRARY_SOURCES = \ |
||||||
|
connection.c listen.c util_mutex.c \ |
||||||
|
mpm_common.c mpm_unix.c mpm_fdqueue.c \ |
||||||
|
util_charset.c util_cookies.c util_debug.c util_xml.c \ |
||||||
|
- util_filter.c util_pcre.c util_regex.c exports.c \ |
||||||
|
+ util_filter.c util_pcre.c util_regex.c \ |
||||||
|
scoreboard.c error_bucket.c protocol.c core.c request.c ssl.c provider.c \ |
||||||
|
eoc_bucket.c eor_bucket.c core_filters.c \ |
||||||
|
util_expr_parse.c util_expr_scan.c util_expr_eval.c |
||||||
|
diff --git a/server/main.c b/server/main.c |
||||||
|
index 62e06df..17c09ee 100644 |
||||||
|
--- a/server/main.c |
||||||
|
+++ b/server/main.c |
||||||
|
@@ -835,17 +835,3 @@ int main(int argc, const char * const argv[]) |
||||||
|
return !OK; |
||||||
|
} |
||||||
|
|
||||||
|
-#ifdef AP_USING_AUTOCONF |
||||||
|
-/* This ugly little hack pulls any function referenced in exports.c into |
||||||
|
- * the web server. exports.c is generated during the build, and it |
||||||
|
- * has all of the APR functions specified by the apr/apr.exports and |
||||||
|
- * apr-util/aprutil.exports files. |
||||||
|
- */ |
||||||
|
-const void *ap_suck_in_APR(void); |
||||||
|
-const void *ap_suck_in_APR(void) |
||||||
|
-{ |
||||||
|
- extern const void *ap_ugly_hack; |
||||||
|
- |
||||||
|
- return ap_ugly_hack; |
||||||
|
-} |
||||||
|
-#endif |
@ -0,0 +1,46 @@ |
|||||||
|
diff --git a/server/core.c b/server/core.c |
||||||
|
index c36ff26..621c82a 100644 |
||||||
|
--- a/server/core.c |
||||||
|
+++ b/server/core.c |
||||||
|
@@ -3569,6 +3569,7 @@ enum server_token_type { |
||||||
|
SrvTk_MINIMAL, /* eg: Apache/2.0.41 */ |
||||||
|
SrvTk_OS, /* eg: Apache/2.0.41 (UNIX) */ |
||||||
|
SrvTk_FULL, /* eg: Apache/2.0.41 (UNIX) PHP/4.2.2 FooBar/1.2b */ |
||||||
|
+ SrvTk_FULL_RELEASE, /* eg: Apache/2.0.41 (UNIX) (Release 32.el7) PHP/4.2.2 FooBar/1.2b */ |
||||||
|
SrvTk_PRODUCT_ONLY /* eg: Apache */ |
||||||
|
}; |
||||||
|
static enum server_token_type ap_server_tokens = SrvTk_FULL; |
||||||
|
@@ -3645,7 +3646,10 @@ static void set_banner(apr_pool_t *pconf) |
||||||
|
else if (ap_server_tokens == SrvTk_MAJOR) { |
||||||
|
ap_add_version_component(pconf, AP_SERVER_BASEPRODUCT "/" AP_SERVER_MAJORVERSION); |
||||||
|
} |
||||||
|
- else { |
||||||
|
+ else if (ap_server_tokens == SrvTk_FULL_RELEASE) { |
||||||
|
+ ap_add_version_component(pconf, AP_SERVER_BASEVERSION " (" PLATFORM ") (Release @RELEASE@)"); |
||||||
|
+ } |
||||||
|
+ else { |
||||||
|
ap_add_version_component(pconf, AP_SERVER_BASEVERSION " (" PLATFORM ")"); |
||||||
|
} |
||||||
|
|
||||||
|
@@ -3653,7 +3657,7 @@ static void set_banner(apr_pool_t *pconf) |
||||||
|
* Lock the server_banner string if we're not displaying |
||||||
|
* the full set of tokens |
||||||
|
*/ |
||||||
|
- if (ap_server_tokens != SrvTk_FULL) { |
||||||
|
+ if (ap_server_tokens != SrvTk_FULL && ap_server_tokens != SrvTk_FULL_RELEASE) { |
||||||
|
banner_locked++; |
||||||
|
} |
||||||
|
server_description = AP_SERVER_BASEVERSION " (" PLATFORM ")"; |
||||||
|
@@ -3686,8 +3690,11 @@ static const char *set_serv_tokens(cmd_parms *cmd, void *dummy, |
||||||
|
else if (!ap_cstr_casecmp(arg, "Full")) { |
||||||
|
ap_server_tokens = SrvTk_FULL; |
||||||
|
} |
||||||
|
+ else if (!strcasecmp(arg, "Full-Release")) { |
||||||
|
+ ap_server_tokens = SrvTk_FULL_RELEASE; |
||||||
|
+ } |
||||||
|
else { |
||||||
|
- return "ServerTokens takes 1 argument: 'Prod(uctOnly)', 'Major', 'Minor', 'Min(imal)', 'OS', or 'Full'"; |
||||||
|
+ return "ServerTokens takes 1 argument: 'Prod(uctOnly)', 'Major', 'Minor', 'Min(imal)', 'OS', 'Full' or 'Full-Release'"; |
||||||
|
} |
||||||
|
|
||||||
|
return NULL; |
@ -0,0 +1,109 @@ |
|||||||
|
diff --git a/docs/manual/mod/mod_proxy_wstunnel.html.en b/docs/manual/mod/mod_proxy_wstunnel.html.en |
||||||
|
index 9f2c120..61ff7de 100644 |
||||||
|
--- a/docs/manual/mod/mod_proxy_wstunnel.html.en |
||||||
|
+++ b/docs/manual/mod/mod_proxy_wstunnel.html.en |
||||||
|
@@ -83,6 +83,7 @@ in the response <code>Upgrade</code></p> |
||||||
|
<div id="quickview"><a href="https://www.apache.org/foundation/contributing.html" class="badge"><img src="https://www.apache.org/images/SupportApache-small.png" alt="Support Apache!" /></a><h3 class="directives">Directives</h3> |
||||||
|
<ul id="toc"> |
||||||
|
<li><img alt="" src="../images/down.gif" /> <a href="#proxywebsocketfallbacktoproxyhttp">ProxyWebsocketFallbackToProxyHttp</a></li> |
||||||
|
+<li><img alt="" src="../images/down.gif" /> <a href="#proxywebsocketidletimeout">ProxyWebsocketIdleTimeout</a></li> |
||||||
|
</ul> |
||||||
|
<h3>Bugfix checklist</h3><ul class="seealso"><li><a href="https://www.apache.org/dist/httpd/CHANGES_2.4">httpd changelog</a></li><li><a href="https://bz.apache.org/bugzilla/buglist.cgi?bug_status=__open__&list_id=144532&product=Apache%20httpd-2&query_format=specific&order=changeddate%20DESC%2Cpriority%2Cbug_severity&component=mod_proxy_wstunnel">Known issues</a></li><li><a href="https://bz.apache.org/bugzilla/enter_bug.cgi?product=Apache%20httpd-2&component=mod_proxy_wstunnel">Report a bug</a></li></ul><h3>See also</h3> |
||||||
|
<ul class="seealso"> |
||||||
|
@@ -108,6 +109,23 @@ in the response <code>Upgrade</code></p> |
||||||
|
WebSocket requests as in httpd 2.4.46 and earlier.</p> |
||||||
|
|
||||||
|
</div> |
||||||
|
+ |
||||||
|
+<div class="directive-section"><h2><a name="ProxyWebsocketIdleTimeout" id="ProxyWebsocketIdleTimeout">ProxyWebsocketIdleTimeout</a> <a name="proxywebsocketidletimeout" id="proxywebsocketidletimeout">Directive</a> <a title="Permanent link" href="#proxywebsocketidletimeout" class="permalink">¶</a></h2> |
||||||
|
+<table class="directive"> |
||||||
|
+<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Sets the maximum amount of time to wait for data on the websockets tunnel</td></tr> |
||||||
|
+<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>ProxyWebsocketIdleTimeout <var>num</var>[ms]</code></td></tr> |
||||||
|
+<tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>ProxyWebsocketIdleTimeout 0</code></td></tr> |
||||||
|
+<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host</td></tr> |
||||||
|
+<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr> |
||||||
|
+<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_proxy_wstunnel</td></tr> |
||||||
|
+</table> |
||||||
|
+ <p>This directive imposes a maximum amount of time for the tunnel to be |
||||||
|
+ left open while idle. The timeout is considered in seconds by default, but |
||||||
|
+ it is possible to increase the time resolution to milliseconds |
||||||
|
+ adding the <em>ms</em> suffix.</p> |
||||||
|
+ |
||||||
|
+</div> |
||||||
|
+ |
||||||
|
</div> |
||||||
|
<div class="bottomlang"> |
||||||
|
<p><span>Available Languages: </span><a href="../en/mod/mod_proxy_wstunnel.html" title="English"> en </a> | |
||||||
|
diff --git a/modules/proxy/mod_proxy_wstunnel.c b/modules/proxy/mod_proxy_wstunnel.c |
||||||
|
index bcbba42..c29ded1 100644 |
||||||
|
--- a/modules/proxy/mod_proxy_wstunnel.c |
||||||
|
+++ b/modules/proxy/mod_proxy_wstunnel.c |
||||||
|
@@ -22,6 +22,7 @@ module AP_MODULE_DECLARE_DATA proxy_wstunnel_module; |
||||||
|
typedef struct { |
||||||
|
unsigned int fallback_to_proxy_http :1, |
||||||
|
fallback_to_proxy_http_set :1; |
||||||
|
+ apr_time_t idle_timeout; |
||||||
|
} proxyws_dir_conf; |
||||||
|
|
||||||
|
static int can_fallback_to_proxy_http; |
||||||
|
@@ -152,6 +153,8 @@ static int proxy_wstunnel_request(apr_pool_t *p, request_rec *r, |
||||||
|
conn_rec *c = r->connection; |
||||||
|
apr_socket_t *sock = conn->sock; |
||||||
|
conn_rec *backconn = conn->connection; |
||||||
|
+ proxyws_dir_conf *dconf = ap_get_module_config(r->per_dir_config, |
||||||
|
+ &proxy_wstunnel_module); |
||||||
|
char *buf; |
||||||
|
apr_bucket_brigade *header_brigade; |
||||||
|
apr_bucket *e; |
||||||
|
@@ -229,10 +232,13 @@ static int proxy_wstunnel_request(apr_pool_t *p, request_rec *r, |
||||||
|
c->keepalive = AP_CONN_CLOSE; |
||||||
|
|
||||||
|
do { /* Loop until done (one side closes the connection, or an error) */ |
||||||
|
- rv = apr_pollset_poll(pollset, -1, &pollcnt, &signalled); |
||||||
|
+ rv = apr_pollset_poll(pollset, dconf->idle_timeout, &pollcnt, &signalled); |
||||||
|
if (rv != APR_SUCCESS) { |
||||||
|
if (APR_STATUS_IS_EINTR(rv)) { |
||||||
|
continue; |
||||||
|
+ } else if(APR_STATUS_IS_TIMEUP(rv)){ |
||||||
|
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r, "RH: the connection has timed out"); |
||||||
|
+ return HTTP_REQUEST_TIME_OUT; |
||||||
|
} |
||||||
|
ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r, APLOGNO(02444) "error apr_poll()"); |
||||||
|
return HTTP_INTERNAL_SERVER_ERROR; |
||||||
|
@@ -418,11 +424,26 @@ cleanup: |
||||||
|
return status; |
||||||
|
} |
||||||
|
|
||||||
|
+static const char * proxyws_set_idle(cmd_parms *cmd, void *conf, const char *val) |
||||||
|
+{ |
||||||
|
+ proxyws_dir_conf *dconf = conf; |
||||||
|
+ if (ap_timeout_parameter_parse(val, &(dconf->idle_timeout), "s") != APR_SUCCESS) |
||||||
|
+ return "ProxyWebsocketIdleTimeout timeout has wrong format"; |
||||||
|
+ |
||||||
|
+ if (dconf->idle_timeout < 0) |
||||||
|
+ return "ProxyWebsocketIdleTimeout timeout has to be a non-negative number"; |
||||||
|
+ |
||||||
|
+ if (!dconf->idle_timeout) dconf->idle_timeout = -1; /* loop indefinitely */ |
||||||
|
+ |
||||||
|
+ return NULL; |
||||||
|
+} |
||||||
|
+ |
||||||
|
static void *create_proxyws_dir_config(apr_pool_t *p, char *dummy) |
||||||
|
{ |
||||||
|
proxyws_dir_conf *new = |
||||||
|
(proxyws_dir_conf *) apr_pcalloc(p, sizeof(proxyws_dir_conf)); |
||||||
|
|
||||||
|
+ new->idle_timeout = -1; /* no timeout */ |
||||||
|
new->fallback_to_proxy_http = 1; |
||||||
|
|
||||||
|
return (void *) new; |
||||||
|
@@ -465,7 +486,8 @@ static const command_rec ws_proxy_cmds[] = |
||||||
|
proxyws_fallback_to_proxy_http, NULL, RSRC_CONF|ACCESS_CONF, |
||||||
|
"whether to let mod_proxy_http handle the upgrade and tunneling, " |
||||||
|
"On by default"), |
||||||
|
- |
||||||
|
+ AP_INIT_TAKE1("ProxyWebsocketIdleTimeout", proxyws_set_idle, NULL, RSRC_CONF|ACCESS_CONF, |
||||||
|
+ "timeout for activity in either direction, unlimited by default."), |
||||||
|
{NULL} |
||||||
|
}; |
||||||
|
|
File diff suppressed because it is too large
Load Diff
@ -0,0 +1,229 @@ |
|||||||
|
diff --git a/Makefile.in b/Makefile.in |
||||||
|
index 6747aea..40c7076 100644 |
||||||
|
--- a/Makefile.in |
||||||
|
+++ b/Makefile.in |
||||||
|
@@ -233,6 +233,7 @@ install-cgi: |
||||||
|
install-other: |
||||||
|
@test -d $(DESTDIR)$(logfiledir) || $(MKINSTALLDIRS) $(DESTDIR)$(logfiledir) |
||||||
|
@test -d $(DESTDIR)$(runtimedir) || $(MKINSTALLDIRS) $(DESTDIR)$(runtimedir) |
||||||
|
+ @test -d $(DESTDIR)$(statedir) || $(MKINSTALLDIRS) $(DESTDIR)$(statedir) |
||||||
|
@for ext in dll x; do \ |
||||||
|
file=apachecore.$$ext; \ |
||||||
|
if test -f $$file; then \ |
||||||
|
diff --git a/acinclude.m4 b/acinclude.m4 |
||||||
|
index b6ef442..98f1441 100644 |
||||||
|
--- a/acinclude.m4 |
||||||
|
+++ b/acinclude.m4 |
||||||
|
@@ -45,6 +45,7 @@ AC_DEFUN([APACHE_GEN_CONFIG_VARS],[ |
||||||
|
APACHE_SUBST(installbuilddir) |
||||||
|
APACHE_SUBST(runtimedir) |
||||||
|
APACHE_SUBST(proxycachedir) |
||||||
|
+ APACHE_SUBST(statedir) |
||||||
|
APACHE_SUBST(other_targets) |
||||||
|
APACHE_SUBST(progname) |
||||||
|
APACHE_SUBST(prefix) |
||||||
|
@@ -665,6 +666,7 @@ AC_DEFUN([APACHE_EXPORT_ARGUMENTS],[ |
||||||
|
APACHE_SUBST_EXPANDED_ARG(runtimedir) |
||||||
|
APACHE_SUBST_EXPANDED_ARG(logfiledir) |
||||||
|
APACHE_SUBST_EXPANDED_ARG(proxycachedir) |
||||||
|
+ APACHE_SUBST_EXPANDED_ARG(statedir) |
||||||
|
]) |
||||||
|
|
||||||
|
dnl |
||||||
|
diff --git a/configure.in b/configure.in |
||||||
|
index 37346b2..f303784 100644 |
||||||
|
--- a/configure.in |
||||||
|
+++ b/configure.in |
||||||
|
@@ -41,7 +41,7 @@ dnl Something seems broken here. |
||||||
|
AC_PREFIX_DEFAULT(/usr/local/apache2) |
||||||
|
|
||||||
|
dnl Get the layout here, so we can pass the required variables to apr |
||||||
|
-APR_ENABLE_LAYOUT(Apache, [errordir iconsdir htdocsdir cgidir]) |
||||||
|
+APR_ENABLE_LAYOUT(Apache, [errordir iconsdir htdocsdir cgidir statedir]) |
||||||
|
|
||||||
|
dnl reparse the configure arguments. |
||||||
|
APR_PARSE_ARGUMENTS |
||||||
|
diff --git a/include/ap_config_layout.h.in b/include/ap_config_layout.h.in |
||||||
|
index 2b4a70c..e076f41 100644 |
||||||
|
--- a/include/ap_config_layout.h.in |
||||||
|
+++ b/include/ap_config_layout.h.in |
||||||
|
@@ -60,5 +60,7 @@ |
||||||
|
#define DEFAULT_REL_LOGFILEDIR "@rel_logfiledir@" |
||||||
|
#define DEFAULT_EXP_PROXYCACHEDIR "@exp_proxycachedir@" |
||||||
|
#define DEFAULT_REL_PROXYCACHEDIR "@rel_proxycachedir@" |
||||||
|
+#define DEFAULT_EXP_STATEDIR "@exp_statedir@" |
||||||
|
+#define DEFAULT_REL_STATEDIR "@rel_statedir@" |
||||||
|
|
||||||
|
#endif /* AP_CONFIG_LAYOUT_H */ |
||||||
|
diff --git a/include/http_config.h b/include/http_config.h |
||||||
|
index 77657ae..384a90f 100644 |
||||||
|
--- a/include/http_config.h |
||||||
|
+++ b/include/http_config.h |
||||||
|
@@ -757,6 +757,14 @@ AP_DECLARE(char *) ap_server_root_relative(apr_pool_t *p, const char *fname); |
||||||
|
*/ |
||||||
|
AP_DECLARE(char *) ap_runtime_dir_relative(apr_pool_t *p, const char *fname); |
||||||
|
|
||||||
|
+/** |
||||||
|
+ * Compute the name of a persistent state file (e.g. a database or |
||||||
|
+ * long-lived cache) relative to the appropriate state directory. |
||||||
|
+ * Absolute paths are returned as-is. The state directory is |
||||||
|
+ * configured via the DefaultStateDir directive or at build time. |
||||||
|
+ */ |
||||||
|
+AP_DECLARE(char *) ap_state_dir_relative(apr_pool_t *p, const char *fname); |
||||||
|
+ |
||||||
|
/* Finally, the hook for dynamically loading modules in... */ |
||||||
|
|
||||||
|
/** |
||||||
|
diff --git a/modules/dav/fs/mod_dav_fs.c b/modules/dav/fs/mod_dav_fs.c |
||||||
|
index addfd7e..2389f8f 100644 |
||||||
|
--- a/modules/dav/fs/mod_dav_fs.c |
||||||
|
+++ b/modules/dav/fs/mod_dav_fs.c |
||||||
|
@@ -29,6 +29,10 @@ typedef struct { |
||||||
|
|
||||||
|
extern module AP_MODULE_DECLARE_DATA dav_fs_module; |
||||||
|
|
||||||
|
+#ifndef DEFAULT_DAV_LOCKDB |
||||||
|
+#define DEFAULT_DAV_LOCKDB "davlockdb" |
||||||
|
+#endif |
||||||
|
+ |
||||||
|
const char *dav_get_lockdb_path(const request_rec *r) |
||||||
|
{ |
||||||
|
dav_fs_server_conf *conf; |
||||||
|
@@ -57,6 +61,24 @@ static void *dav_fs_merge_server_config(apr_pool_t *p, |
||||||
|
return newconf; |
||||||
|
} |
||||||
|
|
||||||
|
+static apr_status_t dav_fs_post_config(apr_pool_t *p, apr_pool_t *plog, |
||||||
|
+ apr_pool_t *ptemp, server_rec *base_server) |
||||||
|
+{ |
||||||
|
+ server_rec *s; |
||||||
|
+ |
||||||
|
+ for (s = base_server; s; s = s->next) { |
||||||
|
+ dav_fs_server_conf *conf; |
||||||
|
+ |
||||||
|
+ conf = ap_get_module_config(s->module_config, &dav_fs_module); |
||||||
|
+ |
||||||
|
+ if (!conf->lockdb_path) { |
||||||
|
+ conf->lockdb_path = ap_state_dir_relative(p, DEFAULT_DAV_LOCKDB); |
||||||
|
+ } |
||||||
|
+ } |
||||||
|
+ |
||||||
|
+ return OK; |
||||||
|
+} |
||||||
|
+ |
||||||
|
/* |
||||||
|
* Command handler for the DAVLockDB directive, which is TAKE1 |
||||||
|
*/ |
||||||
|
@@ -87,6 +109,8 @@ static const command_rec dav_fs_cmds[] = |
||||||
|
|
||||||
|
static void register_hooks(apr_pool_t *p) |
||||||
|
{ |
||||||
|
+ ap_hook_post_config(dav_fs_post_config, NULL, NULL, APR_HOOK_MIDDLE); |
||||||
|
+ |
||||||
|
dav_hook_gather_propsets(dav_fs_gather_propsets, NULL, NULL, |
||||||
|
APR_HOOK_MIDDLE); |
||||||
|
dav_hook_find_liveprop(dav_fs_find_liveprop, NULL, NULL, APR_HOOK_MIDDLE); |
||||||
|
diff --git a/server/core.c b/server/core.c |
||||||
|
index d135764..c2176b9 100644 |
||||||
|
--- a/server/core.c |
||||||
|
+++ b/server/core.c |
||||||
|
@@ -142,6 +142,8 @@ AP_DECLARE_DATA int ap_main_state = AP_SQ_MS_INITIAL_STARTUP; |
||||||
|
AP_DECLARE_DATA int ap_run_mode = AP_SQ_RM_UNKNOWN; |
||||||
|
AP_DECLARE_DATA int ap_config_generation = 0; |
||||||
|
|
||||||
|
+static const char *core_state_dir; |
||||||
|
+ |
||||||
|
static void *create_core_dir_config(apr_pool_t *a, char *dir) |
||||||
|
{ |
||||||
|
core_dir_config *conf; |
||||||
|
@@ -1444,13 +1446,16 @@ AP_DECLARE(const char *) ap_resolve_env(apr_pool_t *p, const char * word) |
||||||
|
return res_buf; |
||||||
|
} |
||||||
|
|
||||||
|
-static int reset_config_defines(void *dummy) |
||||||
|
+/* pconf cleanup - clear global variables set from config here. */ |
||||||
|
+static apr_status_t reset_config(void *dummy) |
||||||
|
{ |
||||||
|
ap_server_config_defines = saved_server_config_defines; |
||||||
|
saved_server_config_defines = NULL; |
||||||
|
server_config_defined_vars = NULL; |
||||||
|
ap_runtime_dir = NULL; |
||||||
|
- return OK; |
||||||
|
+ core_state_dir = NULL; |
||||||
|
+ |
||||||
|
+ return APR_SUCCESS; |
||||||
|
} |
||||||
|
|
||||||
|
/* |
||||||
|
@@ -3220,6 +3225,24 @@ static const char *set_runtime_dir(cmd_parms *cmd, void *dummy, const char *arg) |
||||||
|
return NULL; |
||||||
|
} |
||||||
|
|
||||||
|
+static const char *set_state_dir(cmd_parms *cmd, void *dummy, const char *arg) |
||||||
|
+{ |
||||||
|
+ const char *err = ap_check_cmd_context(cmd, GLOBAL_ONLY); |
||||||
|
+ |
||||||
|
+ if (err != NULL) { |
||||||
|
+ return err; |
||||||
|
+ } |
||||||
|
+ |
||||||
|
+ if ((apr_filepath_merge((char**)&core_state_dir, NULL, |
||||||
|
+ ap_server_root_relative(cmd->temp_pool, arg), |
||||||
|
+ APR_FILEPATH_TRUENAME, cmd->pool) != APR_SUCCESS) |
||||||
|
+ || !ap_is_directory(cmd->temp_pool, core_state_dir)) { |
||||||
|
+ return "DefaultStateDir must be a valid directory, absolute or relative to ServerRoot"; |
||||||
|
+ } |
||||||
|
+ |
||||||
|
+ return NULL; |
||||||
|
+} |
||||||
|
+ |
||||||
|
static const char *set_timeout(cmd_parms *cmd, void *dummy, const char *arg) |
||||||
|
{ |
||||||
|
const char *err = ap_check_cmd_context(cmd, NOT_IN_DIR_CONTEXT); |
||||||
|
@@ -4521,6 +4544,8 @@ AP_INIT_TAKE1("ServerRoot", set_server_root, NULL, RSRC_CONF | EXEC_ON_READ, |
||||||
|
"Common directory of server-related files (logs, confs, etc.)"), |
||||||
|
AP_INIT_TAKE1("DefaultRuntimeDir", set_runtime_dir, NULL, RSRC_CONF | EXEC_ON_READ, |
||||||
|
"Common directory for run-time files (shared memory, locks, etc.)"), |
||||||
|
+AP_INIT_TAKE1("DefaultStateDir", set_state_dir, NULL, RSRC_CONF | EXEC_ON_READ, |
||||||
|
+ "Common directory for persistent state (databases, long-lived caches, etc.)"), |
||||||
|
AP_INIT_TAKE1("ErrorLog", set_server_string_slot, |
||||||
|
(void *)APR_OFFSETOF(server_rec, error_fname), RSRC_CONF, |
||||||
|
"The filename of the error log"), |
||||||
|
@@ -5055,8 +5080,7 @@ static int core_pre_config(apr_pool_t *pconf, apr_pool_t *plog, apr_pool_t *ptem |
||||||
|
|
||||||
|
if (!saved_server_config_defines) |
||||||
|
init_config_defines(pconf); |
||||||
|
- apr_pool_cleanup_register(pconf, NULL, reset_config_defines, |
||||||
|
- apr_pool_cleanup_null); |
||||||
|
+ apr_pool_cleanup_register(pconf, NULL, reset_config, apr_pool_cleanup_null); |
||||||
|
|
||||||
|
ap_regcomp_set_default_cflags(AP_REG_DEFAULT); |
||||||
|
|
||||||
|
@@ -5303,6 +5327,27 @@ AP_DECLARE(int) ap_state_query(int query) |
||||||
|
} |
||||||
|
} |
||||||
|
|
||||||
|
+AP_DECLARE(char *) ap_state_dir_relative(apr_pool_t *p, const char *file) |
||||||
|
+{ |
||||||
|
+ char *newpath = NULL; |
||||||
|
+ apr_status_t rv; |
||||||
|
+ const char *state_dir; |
||||||
|
+ |
||||||
|
+ state_dir = core_state_dir |
||||||
|
+ ? core_state_dir |
||||||
|
+ : ap_server_root_relative(p, DEFAULT_REL_STATEDIR); |
||||||
|
+ |
||||||
|
+ rv = apr_filepath_merge(&newpath, state_dir, file, APR_FILEPATH_TRUENAME, p); |
||||||
|
+ if (newpath && (rv == APR_SUCCESS || APR_STATUS_IS_EPATHWILD(rv) |
||||||
|
+ || APR_STATUS_IS_ENOENT(rv) |
||||||
|
+ || APR_STATUS_IS_ENOTDIR(rv))) { |
||||||
|
+ return newpath; |
||||||
|
+ } |
||||||
|
+ else { |
||||||
|
+ return NULL; |
||||||
|
+ } |
||||||
|
+} |
||||||
|
+ |
||||||
|
static apr_random_t *rng = NULL; |
||||||
|
#if APR_HAS_THREADS |
||||||
|
static apr_thread_mutex_t *rng_mutex = NULL; |
@ -0,0 +1,79 @@ |
|||||||
|
diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c |
||||||
|
index 15f68f9..e67c81d 100644 |
||||||
|
--- a/modules/ssl/ssl_engine_init.c |
||||||
|
+++ b/modules/ssl/ssl_engine_init.c |
||||||
|
@@ -1682,6 +1682,10 @@ static apr_status_t ssl_init_proxy_certs(server_rec *s, |
||||||
|
STACK_OF(X509) *chain; |
||||||
|
X509_STORE_CTX *sctx; |
||||||
|
X509_STORE *store = SSL_CTX_get_cert_store(mctx->ssl_ctx); |
||||||
|
+ int addl_chain = 0; /* non-zero if additional chain certs were |
||||||
|
+ * added to store */ |
||||||
|
+ |
||||||
|
+ ap_assert(store != NULL); /* safe to assume always non-NULL? */ |
||||||
|
|
||||||
|
#if OPENSSL_VERSION_NUMBER >= 0x1010100fL |
||||||
|
/* For OpenSSL >=1.1.1, turn on client cert support which is |
||||||
|
@@ -1707,20 +1711,28 @@ static apr_status_t ssl_init_proxy_certs(server_rec *s, |
||||||
|
ssl_init_ca_cert_path(s, ptemp, pkp->cert_path, NULL, sk); |
||||||
|
} |
||||||
|
|
||||||
|
- if ((ncerts = sk_X509_INFO_num(sk)) <= 0) { |
||||||
|
- sk_X509_INFO_free(sk); |
||||||
|
- ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s, APLOGNO(02206) |
||||||
|
- "no client certs found for SSL proxy"); |
||||||
|
- return APR_SUCCESS; |
||||||
|
- } |
||||||
|
- |
||||||
|
/* Check that all client certs have got certificates and private |
||||||
|
- * keys. */ |
||||||
|
- for (n = 0; n < ncerts; n++) { |
||||||
|
+ * keys. Note the number of certs in the stack may decrease |
||||||
|
+ * during the loop. */ |
||||||
|
+ for (n = 0; n < sk_X509_INFO_num(sk); n++) { |
||||||
|
X509_INFO *inf = sk_X509_INFO_value(sk, n); |
||||||
|
+ int has_privkey = inf->x_pkey && inf->x_pkey->dec_pkey; |
||||||
|
|
||||||
|
- if (!inf->x509 || !inf->x_pkey || !inf->x_pkey->dec_pkey || |
||||||
|
- inf->enc_data) { |
||||||
|
+ /* For a lone certificate in the file, trust it as a |
||||||
|
+ * CA/intermediate certificate. */ |
||||||
|
+ if (inf->x509 && !has_privkey && !inf->enc_data) { |
||||||
|
+ ssl_log_xerror(SSLLOG_MARK, APLOG_DEBUG, 0, ptemp, s, inf->x509, |
||||||
|
+ APLOGNO(10261) "Trusting non-leaf certificate"); |
||||||
|
+ X509_STORE_add_cert(store, inf->x509); /* increments inf->x509 */ |
||||||
|
+ /* Delete from the stack and iterate again. */ |
||||||
|
+ X509_INFO_free(inf); |
||||||
|
+ sk_X509_INFO_delete(sk, n); |
||||||
|
+ n--; |
||||||
|
+ addl_chain = 1; |
||||||
|
+ continue; |
||||||
|
+ } |
||||||
|
+ |
||||||
|
+ if (!has_privkey || inf->enc_data) { |
||||||
|
sk_X509_INFO_free(sk); |
||||||
|
ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s, APLOGNO(02252) |
||||||
|
"incomplete client cert configured for SSL proxy " |
||||||
|
@@ -1737,13 +1749,21 @@ static apr_status_t ssl_init_proxy_certs(server_rec *s, |
||||||
|
} |
||||||
|
} |
||||||
|
|
||||||
|
+ if ((ncerts = sk_X509_INFO_num(sk)) <= 0) { |
||||||
|
+ sk_X509_INFO_free(sk); |
||||||
|
+ ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s, APLOGNO(02206) |
||||||
|
+ "no client certs found for SSL proxy"); |
||||||
|
+ return APR_SUCCESS; |
||||||
|
+ } |
||||||
|
+ |
||||||
|
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(02207) |
||||||
|
"loaded %d client certs for SSL proxy", |
||||||
|
ncerts); |
||||||
|
pkp->certs = sk; |
||||||
|
|
||||||
|
- |
||||||
|
- if (!pkp->ca_cert_file || !store) { |
||||||
|
+ /* If any chain certs are configured, build the ->ca_certs chains |
||||||
|
+ * corresponding to the loaded keypairs. */ |
||||||
|
+ if (!pkp->ca_cert_file && !addl_chain) { |
||||||
|
return APR_SUCCESS; |
||||||
|
} |
||||||
|
|
@ -0,0 +1,81 @@ |
|||||||
|
diff --git a/server/util_script.c b/server/util_script.c |
||||||
|
index 4121ae0..b7f8674 100644 |
||||||
|
--- a/server/util_script.c |
||||||
|
+++ b/server/util_script.c |
||||||
|
@@ -92,9 +92,21 @@ static void add_unless_null(apr_table_t *table, const char *name, const char *va |
||||||
|
} |
||||||
|
} |
||||||
|
|
||||||
|
-static void env2env(apr_table_t *table, const char *name) |
||||||
|
+/* Sets variable @name in table @dest from r->subprocess_env if |
||||||
|
+ * available, else from the environment, else from @fallback if |
||||||
|
+ * non-NULL. */ |
||||||
|
+static void env2env(apr_table_t *dest, request_rec *r, |
||||||
|
+ const char *name, const char *fallback) |
||||||
|
{ |
||||||
|
- add_unless_null(table, name, getenv(name)); |
||||||
|
+ const char *val; |
||||||
|
+ |
||||||
|
+ val = apr_table_get(r->subprocess_env, name); |
||||||
|
+ if (!val) |
||||||
|
+ val = apr_pstrdup(r->pool, getenv(name)); |
||||||
|
+ if (!val) |
||||||
|
+ val = apr_pstrdup(r->pool, fallback); |
||||||
|
+ if (val) |
||||||
|
+ apr_table_addn(dest, name, val); |
||||||
|
} |
||||||
|
|
||||||
|
AP_DECLARE(char **) ap_create_environment(apr_pool_t *p, apr_table_t *t) |
||||||
|
@@ -211,37 +223,29 @@ AP_DECLARE(void) ap_add_common_vars(request_rec *r) |
||||||
|
add_unless_null(e, http2env(r, hdrs[i].key), hdrs[i].val); |
||||||
|
} |
||||||
|
|
||||||
|
- env_temp = apr_table_get(r->subprocess_env, "PATH"); |
||||||
|
- if (env_temp == NULL) { |
||||||
|
- env_temp = getenv("PATH"); |
||||||
|
- } |
||||||
|
- if (env_temp == NULL) { |
||||||
|
- env_temp = DEFAULT_PATH; |
||||||
|
- } |
||||||
|
- apr_table_addn(e, "PATH", apr_pstrdup(r->pool, env_temp)); |
||||||
|
- |
||||||
|
+ env2env(e, r, "PATH", DEFAULT_PATH); |
||||||
|
#if defined(WIN32) |
||||||
|
- env2env(e, "SystemRoot"); |
||||||
|
- env2env(e, "COMSPEC"); |
||||||
|
- env2env(e, "PATHEXT"); |
||||||
|
- env2env(e, "WINDIR"); |
||||||
|
+ env2env(e, r, "SystemRoot", NULL); |
||||||
|
+ env2env(e, r, "COMSPEC", NULL); |
||||||
|
+ env2env(e, r, "PATHEXT", NULL); |
||||||
|
+ env2env(e, r, "WINDIR", NULL); |
||||||
|
#elif defined(OS2) |
||||||
|
- env2env(e, "COMSPEC"); |
||||||
|
- env2env(e, "ETC"); |
||||||
|
- env2env(e, "DPATH"); |
||||||
|
- env2env(e, "PERLLIB_PREFIX"); |
||||||
|
+ env2env(e, r, "COMSPEC", NULL); |
||||||
|
+ env2env(e, r, "ETC", NULL); |
||||||
|
+ env2env(e, r, "DPATH", NULL); |
||||||
|
+ env2env(e, r, "PERLLIB_PREFIX", NULL); |
||||||
|
#elif defined(BEOS) |
||||||
|
- env2env(e, "LIBRARY_PATH"); |
||||||
|
+ env2env(e, r, "LIBRARY_PATH", NULL); |
||||||
|
#elif defined(DARWIN) |
||||||
|
- env2env(e, "DYLD_LIBRARY_PATH"); |
||||||
|
+ env2env(e, r, "DYLD_LIBRARY_PATH", NULL); |
||||||
|
#elif defined(_AIX) |
||||||
|
- env2env(e, "LIBPATH"); |
||||||
|
+ env2env(e, r, "LIBPATH", NULL); |
||||||
|
#elif defined(__HPUX__) |
||||||
|
/* HPUX PARISC 2.0W knows both, otherwise redundancy is harmless */ |
||||||
|
- env2env(e, "SHLIB_PATH"); |
||||||
|
- env2env(e, "LD_LIBRARY_PATH"); |
||||||
|
+ env2env(e, r, "SHLIB_PATH", NULL); |
||||||
|
+ env2env(e, r, "LD_LIBRARY_PATH", NULL); |
||||||
|
#else /* Some Unix */ |
||||||
|
- env2env(e, "LD_LIBRARY_PATH"); |
||||||
|
+ env2env(e, r, "LD_LIBRARY_PATH", NULL); |
||||||
|
#endif |
||||||
|
|
||||||
|
apr_table_addn(e, "SERVER_SIGNATURE", ap_psignature("", r)); |
@ -0,0 +1,249 @@ |
|||||||
|
diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c |
||||||
|
index 211ebff..c8cb1af 100644 |
||||||
|
--- a/modules/ssl/ssl_engine_init.c |
||||||
|
+++ b/modules/ssl/ssl_engine_init.c |
||||||
|
@@ -871,6 +871,13 @@ static apr_status_t ssl_init_ctx_protocol(server_rec *s, |
||||||
|
SSL_CTX_set_keylog_callback(ctx, modssl_callback_keylog); |
||||||
|
} |
||||||
|
#endif |
||||||
|
+ |
||||||
|
+#ifdef SSL_OP_NO_RENEGOTIATION |
||||||
|
+ /* For server-side SSL_CTX, disable renegotiation by default.. */ |
||||||
|
+ if (!mctx->pkp) { |
||||||
|
+ SSL_CTX_set_options(ctx, SSL_OP_NO_RENEGOTIATION); |
||||||
|
+ } |
||||||
|
+#endif |
||||||
|
|
||||||
|
return APR_SUCCESS; |
||||||
|
} |
||||||
|
@@ -892,6 +899,14 @@ static void ssl_init_ctx_session_cache(server_rec *s, |
||||||
|
} |
||||||
|
} |
||||||
|
|
||||||
|
+#ifdef SSL_OP_NO_RENEGOTIATION |
||||||
|
+/* OpenSSL-level renegotiation protection. */ |
||||||
|
+#define MODSSL_BLOCKS_RENEG (0) |
||||||
|
+#else |
||||||
|
+/* mod_ssl-level renegotiation protection. */ |
||||||
|
+#define MODSSL_BLOCKS_RENEG (1) |
||||||
|
+#endif |
||||||
|
+ |
||||||
|
static void ssl_init_ctx_callbacks(server_rec *s, |
||||||
|
apr_pool_t *p, |
||||||
|
apr_pool_t *ptemp, |
||||||
|
@@ -905,7 +920,13 @@ static void ssl_init_ctx_callbacks(server_rec *s, |
||||||
|
SSL_CTX_set_tmp_dh_callback(ctx, ssl_callback_TmpDH); |
||||||
|
#endif |
||||||
|
|
||||||
|
- SSL_CTX_set_info_callback(ctx, ssl_callback_Info); |
||||||
|
+ /* The info callback is used for debug-level tracing. For OpenSSL |
||||||
|
+ * versions where SSL_OP_NO_RENEGOTIATION is not available, the |
||||||
|
+ * callback is also used to prevent use of client-initiated |
||||||
|
+ * renegotiation. Enable it in either case. */ |
||||||
|
+ if (APLOGdebug(s) || MODSSL_BLOCKS_RENEG) { |
||||||
|
+ SSL_CTX_set_info_callback(ctx, ssl_callback_Info); |
||||||
|
+ } |
||||||
|
|
||||||
|
#ifdef HAVE_TLS_ALPN |
||||||
|
SSL_CTX_set_alpn_select_cb(ctx, ssl_callback_alpn_select, NULL); |
||||||
|
diff --git a/modules/ssl/ssl_engine_io.c b/modules/ssl/ssl_engine_io.c |
||||||
|
index 79b9a70..3a0c22a 100644 |
||||||
|
--- a/modules/ssl/ssl_engine_io.c |
||||||
|
+++ b/modules/ssl/ssl_engine_io.c |
||||||
|
@@ -209,11 +209,13 @@ static int bio_filter_out_write(BIO *bio, const char *in, int inl) |
||||||
|
|
||||||
|
BIO_clear_retry_flags(bio); |
||||||
|
|
||||||
|
+#ifndef SSL_OP_NO_RENEGOTIATION |
||||||
|
/* Abort early if the client has initiated a renegotiation. */ |
||||||
|
if (outctx->filter_ctx->config->reneg_state == RENEG_ABORT) { |
||||||
|
outctx->rc = APR_ECONNABORTED; |
||||||
|
return -1; |
||||||
|
} |
||||||
|
+#endif |
||||||
|
|
||||||
|
ap_log_cerror(APLOG_MARK, APLOG_TRACE6, 0, outctx->c, |
||||||
|
"bio_filter_out_write: %i bytes", inl); |
||||||
|
@@ -474,11 +476,13 @@ static int bio_filter_in_read(BIO *bio, char *in, int inlen) |
||||||
|
|
||||||
|
BIO_clear_retry_flags(bio); |
||||||
|
|
||||||
|
+#ifndef SSL_OP_NO_RENEGOTIATION |
||||||
|
/* Abort early if the client has initiated a renegotiation. */ |
||||||
|
if (inctx->filter_ctx->config->reneg_state == RENEG_ABORT) { |
||||||
|
inctx->rc = APR_ECONNABORTED; |
||||||
|
return -1; |
||||||
|
} |
||||||
|
+#endif |
||||||
|
|
||||||
|
if (!inctx->bb) { |
||||||
|
inctx->rc = APR_EOF; |
||||||
|
diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c |
||||||
|
index 591f6ae..8416864 100644 |
||||||
|
--- a/modules/ssl/ssl_engine_kernel.c |
||||||
|
+++ b/modules/ssl/ssl_engine_kernel.c |
||||||
|
@@ -992,7 +992,7 @@ static int ssl_hook_Access_classic(request_rec *r, SSLSrvConfigRec *sc, SSLDirCo |
||||||
|
|
||||||
|
/* Toggle the renegotiation state to allow the new |
||||||
|
* handshake to proceed. */ |
||||||
|
- sslconn->reneg_state = RENEG_ALLOW; |
||||||
|
+ modssl_set_reneg_state(sslconn, RENEG_ALLOW); |
||||||
|
|
||||||
|
SSL_renegotiate(ssl); |
||||||
|
SSL_do_handshake(ssl); |
||||||
|
@@ -1019,7 +1019,7 @@ static int ssl_hook_Access_classic(request_rec *r, SSLSrvConfigRec *sc, SSLDirCo |
||||||
|
*/ |
||||||
|
SSL_peek(ssl, peekbuf, 0); |
||||||
|
|
||||||
|
- sslconn->reneg_state = RENEG_REJECT; |
||||||
|
+ modssl_set_reneg_state(sslconn, RENEG_REJECT); |
||||||
|
|
||||||
|
if (!SSL_is_init_finished(ssl)) { |
||||||
|
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02261) |
||||||
|
@@ -1078,7 +1078,7 @@ static int ssl_hook_Access_modern(request_rec *r, SSLSrvConfigRec *sc, SSLDirCon |
||||||
|
(sc->server->auth.verify_mode != SSL_CVERIFY_UNSET)) { |
||||||
|
int vmode_inplace, vmode_needed; |
||||||
|
int change_vmode = FALSE; |
||||||
|
- int old_state, n, rc; |
||||||
|
+ int n, rc; |
||||||
|
|
||||||
|
vmode_inplace = SSL_get_verify_mode(ssl); |
||||||
|
vmode_needed = SSL_VERIFY_NONE; |
||||||
|
@@ -1180,8 +1180,6 @@ static int ssl_hook_Access_modern(request_rec *r, SSLSrvConfigRec *sc, SSLDirCon |
||||||
|
return HTTP_FORBIDDEN; |
||||||
|
} |
||||||
|
|
||||||
|
- old_state = sslconn->reneg_state; |
||||||
|
- sslconn->reneg_state = RENEG_ALLOW; |
||||||
|
modssl_set_app_data2(ssl, r); |
||||||
|
|
||||||
|
SSL_do_handshake(ssl); |
||||||
|
@@ -1191,7 +1189,6 @@ static int ssl_hook_Access_modern(request_rec *r, SSLSrvConfigRec *sc, SSLDirCon |
||||||
|
*/ |
||||||
|
SSL_peek(ssl, peekbuf, 0); |
||||||
|
|
||||||
|
- sslconn->reneg_state = old_state; |
||||||
|
modssl_set_app_data2(ssl, NULL); |
||||||
|
|
||||||
|
/* |
||||||
|
@@ -2263,8 +2260,8 @@ static void log_tracing_state(const SSL *ssl, conn_rec *c, |
||||||
|
/* |
||||||
|
* This callback function is executed while OpenSSL processes the SSL |
||||||
|
* handshake and does SSL record layer stuff. It's used to trap |
||||||
|
- * client-initiated renegotiations, and for dumping everything to the |
||||||
|
- * log. |
||||||
|
+ * client-initiated renegotiations (where SSL_OP_NO_RENEGOTIATION is |
||||||
|
+ * not available), and for dumping everything to the log. |
||||||
|
*/ |
||||||
|
void ssl_callback_Info(const SSL *ssl, int where, int rc) |
||||||
|
{ |
||||||
|
@@ -2276,14 +2273,12 @@ void ssl_callback_Info(const SSL *ssl, int where, int rc) |
||||||
|
return; |
||||||
|
} |
||||||
|
|
||||||
|
- /* With TLS 1.3 this callback may be called multiple times on the first |
||||||
|
- * negotiation, so the below logic to detect renegotiations can't work. |
||||||
|
- * Fortunately renegotiations are forbidden starting with TLS 1.3, and |
||||||
|
- * this is enforced by OpenSSL so there's nothing to be done here. |
||||||
|
- */ |
||||||
|
-#if SSL_HAVE_PROTOCOL_TLSV1_3 |
||||||
|
- if (SSL_version(ssl) < TLS1_3_VERSION) |
||||||
|
-#endif |
||||||
|
+#ifndef SSL_OP_NO_RENEGOTIATION |
||||||
|
+ /* With OpenSSL < 1.1.1 (implying TLS v1.2 or earlier), this |
||||||
|
+ * callback is used to block client-initiated renegotiation. With |
||||||
|
+ * TLSv1.3 it is unnecessary since renegotiation is forbidden at |
||||||
|
+ * protocol level. Otherwise (TLSv1.2 with OpenSSL >=1.1.1), |
||||||
|
+ * SSL_OP_NO_RENEGOTIATION is used to block renegotiation. */ |
||||||
|
{ |
||||||
|
SSLConnRec *sslconn; |
||||||
|
|
||||||
|
@@ -2308,6 +2303,7 @@ void ssl_callback_Info(const SSL *ssl, int where, int rc) |
||||||
|
sslconn->reneg_state = RENEG_REJECT; |
||||||
|
} |
||||||
|
} |
||||||
|
+#endif |
||||||
|
|
||||||
|
s = mySrvFromConn(c); |
||||||
|
if (s && APLOGdebug(s)) { |
||||||
|
diff --git a/modules/ssl/ssl_private.h b/modules/ssl/ssl_private.h |
||||||
|
index a329d99..7666c31 100644 |
||||||
|
--- a/modules/ssl/ssl_private.h |
||||||
|
+++ b/modules/ssl/ssl_private.h |
||||||
|
@@ -512,6 +512,16 @@ typedef struct { |
||||||
|
apr_time_t source_mtime; |
||||||
|
} ssl_asn1_t; |
||||||
|
|
||||||
|
+typedef enum { |
||||||
|
+ RENEG_INIT = 0, /* Before initial handshake */ |
||||||
|
+ RENEG_REJECT, /* After initial handshake; any client-initiated |
||||||
|
+ * renegotiation should be rejected */ |
||||||
|
+ RENEG_ALLOW, /* A server-initiated renegotiation is taking |
||||||
|
+ * place (as dictated by configuration) */ |
||||||
|
+ RENEG_ABORT /* Renegotiation initiated by client, abort the |
||||||
|
+ * connection */ |
||||||
|
+} modssl_reneg_state; |
||||||
|
+ |
||||||
|
/** |
||||||
|
* Define the mod_ssl per-module configuration structure |
||||||
|
* (i.e. the global configuration for each httpd process) |
||||||
|
@@ -543,18 +553,13 @@ typedef struct { |
||||||
|
NON_SSL_SET_ERROR_MSG /* Need to set the error message */ |
||||||
|
} non_ssl_request; |
||||||
|
|
||||||
|
- /* Track the handshake/renegotiation state for the connection so |
||||||
|
- * that all client-initiated renegotiations can be rejected, as a |
||||||
|
- * partial fix for CVE-2009-3555. */ |
||||||
|
- enum { |
||||||
|
- RENEG_INIT = 0, /* Before initial handshake */ |
||||||
|
- RENEG_REJECT, /* After initial handshake; any client-initiated |
||||||
|
- * renegotiation should be rejected */ |
||||||
|
- RENEG_ALLOW, /* A server-initiated renegotiation is taking |
||||||
|
- * place (as dictated by configuration) */ |
||||||
|
- RENEG_ABORT /* Renegotiation initiated by client, abort the |
||||||
|
- * connection */ |
||||||
|
- } reneg_state; |
||||||
|
+#ifndef SSL_OP_NO_RENEGOTIATION |
||||||
|
+ /* For OpenSSL < 1.1.1, track the handshake/renegotiation state |
||||||
|
+ * for the connection to block client-initiated renegotiations. |
||||||
|
+ * For OpenSSL >=1.1.1, the SSL_OP_NO_RENEGOTIATION flag is used in |
||||||
|
+ * the SSL * options state with equivalent effect. */ |
||||||
|
+ modssl_reneg_state reneg_state; |
||||||
|
+#endif |
||||||
|
|
||||||
|
server_rec *server; |
||||||
|
SSLDirConfigRec *dc; |
||||||
|
@@ -1158,6 +1163,9 @@ int ssl_is_challenge(conn_rec *c, const char *servername, |
||||||
|
* the configured ENGINE. */ |
||||||
|
int modssl_is_engine_id(const char *name); |
||||||
|
|
||||||
|
+/* Set the renegotation state for connection. */ |
||||||
|
+void modssl_set_reneg_state(SSLConnRec *sslconn, modssl_reneg_state state); |
||||||
|
+ |
||||||
|
#endif /* SSL_PRIVATE_H */ |
||||||
|
/** @} */ |
||||||
|
|
||||||
|
diff --git a/modules/ssl/ssl_util_ssl.c b/modules/ssl/ssl_util_ssl.c |
||||||
|
index 38079a9..dafb833 100644 |
||||||
|
--- a/modules/ssl/ssl_util_ssl.c |
||||||
|
+++ b/modules/ssl/ssl_util_ssl.c |
||||||
|
@@ -589,3 +589,19 @@ cleanup: |
||||||
|
} |
||||||
|
return rv; |
||||||
|
} |
||||||
|
+ |
||||||
|
+void modssl_set_reneg_state(SSLConnRec *sslconn, modssl_reneg_state state) |
||||||
|
+{ |
||||||
|
+#ifdef SSL_OP_NO_RENEGOTIATION |
||||||
|
+ switch (state) { |
||||||
|
+ case RENEG_ALLOW: |
||||||
|
+ SSL_clear_options(sslconn->ssl, SSL_OP_NO_RENEGOTIATION); |
||||||
|
+ break; |
||||||
|
+ default: |
||||||
|
+ SSL_set_options(sslconn->ssl, SSL_OP_NO_RENEGOTIATION); |
||||||
|
+ break; |
||||||
|
+ } |
||||||
|
+#else |
||||||
|
+ sslconn->reneg_state = state; |
||||||
|
+#endif |
||||||
|
+} |
@ -0,0 +1,156 @@ |
|||||||
|
# ./pullrev.sh 1892413 1895552 |
||||||
|
|
||||||
|
https://bugzilla.redhat.com/show_bug.cgi?id=1938740 |
||||||
|
|
||||||
|
http://svn.apache.org/viewvc?view=revision&revision=1892413 |
||||||
|
http://svn.apache.org/viewvc?view=revision&revision=1895552 |
||||||
|
|
||||||
|
- also mod_cgi/mod_cgid log_flags fix from r1881559 |
||||||
|
|
||||||
|
--- httpd-2.4.51/modules/filters/mod_deflate.c.r1892413+ |
||||||
|
+++ httpd-2.4.51/modules/filters/mod_deflate.c |
||||||
|
@@ -1275,44 +1275,46 @@ |
||||||
|
if (APR_BUCKET_IS_FLUSH(bkt)) { |
||||||
|
apr_bucket *tmp_b; |
||||||
|
|
||||||
|
- ctx->inflate_total += ctx->stream.avail_out; |
||||||
|
- zRC = inflate(&(ctx->stream), Z_SYNC_FLUSH); |
||||||
|
- ctx->inflate_total -= ctx->stream.avail_out; |
||||||
|
- if (zRC != Z_OK) { |
||||||
|
- inflateEnd(&ctx->stream); |
||||||
|
- ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(01391) |
||||||
|
- "Zlib error %d inflating data (%s)", zRC, |
||||||
|
- ctx->stream.msg); |
||||||
|
- return APR_EGENERAL; |
||||||
|
- } |
||||||
|
+ if (!ctx->done) { |
||||||
|
+ ctx->inflate_total += ctx->stream.avail_out; |
||||||
|
+ zRC = inflate(&(ctx->stream), Z_SYNC_FLUSH); |
||||||
|
+ ctx->inflate_total -= ctx->stream.avail_out; |
||||||
|
+ if (zRC != Z_OK) { |
||||||
|
+ inflateEnd(&ctx->stream); |
||||||
|
+ ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(01391) |
||||||
|
+ "Zlib error %d inflating data (%s)", zRC, |
||||||
|
+ ctx->stream.msg); |
||||||
|
+ return APR_EGENERAL; |
||||||
|
+ } |
||||||
|
|
||||||
|
- if (inflate_limit && ctx->inflate_total > inflate_limit) { |
||||||
|
- inflateEnd(&ctx->stream); |
||||||
|
- ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(02647) |
||||||
|
- "Inflated content length of %" APR_OFF_T_FMT |
||||||
|
- " is larger than the configured limit" |
||||||
|
- " of %" APR_OFF_T_FMT, |
||||||
|
- ctx->inflate_total, inflate_limit); |
||||||
|
- return APR_ENOSPC; |
||||||
|
- } |
||||||
|
+ if (inflate_limit && ctx->inflate_total > inflate_limit) { |
||||||
|
+ inflateEnd(&ctx->stream); |
||||||
|
+ ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(02647) |
||||||
|
+ "Inflated content length of %" APR_OFF_T_FMT |
||||||
|
+ " is larger than the configured limit" |
||||||
|
+ " of %" APR_OFF_T_FMT, |
||||||
|
+ ctx->inflate_total, inflate_limit); |
||||||
|
+ return APR_ENOSPC; |
||||||
|
+ } |
||||||
|
|
||||||
|
- if (!check_ratio(r, ctx, dc)) { |
||||||
|
- inflateEnd(&ctx->stream); |
||||||
|
- ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(02805) |
||||||
|
- "Inflated content ratio is larger than the " |
||||||
|
- "configured limit %i by %i time(s)", |
||||||
|
- dc->ratio_limit, dc->ratio_burst); |
||||||
|
- return APR_EINVAL; |
||||||
|
- } |
||||||
|
+ if (!check_ratio(r, ctx, dc)) { |
||||||
|
+ inflateEnd(&ctx->stream); |
||||||
|
+ ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(02805) |
||||||
|
+ "Inflated content ratio is larger than the " |
||||||
|
+ "configured limit %i by %i time(s)", |
||||||
|
+ dc->ratio_limit, dc->ratio_burst); |
||||||
|
+ return APR_EINVAL; |
||||||
|
+ } |
||||||
|
|
||||||
|
- len = c->bufferSize - ctx->stream.avail_out; |
||||||
|
- ctx->crc = crc32(ctx->crc, (const Bytef *)ctx->buffer, len); |
||||||
|
- tmp_b = apr_bucket_heap_create((char *)ctx->buffer, len, |
||||||
|
- NULL, f->c->bucket_alloc); |
||||||
|
- APR_BRIGADE_INSERT_TAIL(ctx->proc_bb, tmp_b); |
||||||
|
+ len = c->bufferSize - ctx->stream.avail_out; |
||||||
|
+ ctx->crc = crc32(ctx->crc, (const Bytef *)ctx->buffer, len); |
||||||
|
+ tmp_b = apr_bucket_heap_create((char *)ctx->buffer, len, |
||||||
|
+ NULL, f->c->bucket_alloc); |
||||||
|
+ APR_BRIGADE_INSERT_TAIL(ctx->proc_bb, tmp_b); |
||||||
|
|
||||||
|
- ctx->stream.next_out = ctx->buffer; |
||||||
|
- ctx->stream.avail_out = c->bufferSize; |
||||||
|
+ ctx->stream.next_out = ctx->buffer; |
||||||
|
+ ctx->stream.avail_out = c->bufferSize; |
||||||
|
+ } |
||||||
|
|
||||||
|
/* Flush everything so far in the returning brigade, but continue |
||||||
|
* reading should EOS/more follow (don't lose them). |
||||||
|
--- httpd-2.4.51/modules/generators/mod_cgi.c.r1892413+ |
||||||
|
+++ httpd-2.4.51/modules/generators/mod_cgi.c |
||||||
|
@@ -191,11 +191,10 @@ |
||||||
|
apr_file_t *f = NULL; |
||||||
|
apr_finfo_t finfo; |
||||||
|
char time_str[APR_CTIME_LEN]; |
||||||
|
- int log_flags = rv ? APLOG_ERR : APLOG_ERR; |
||||||
|
|
||||||
|
/* Intentional no APLOGNO */ |
||||||
|
/* Callee provides APLOGNO in error text */ |
||||||
|
- ap_log_rerror(APLOG_MARK, log_flags, rv, r, |
||||||
|
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r, |
||||||
|
"%s%s: %s", logno ? logno : "", error, r->filename); |
||||||
|
|
||||||
|
/* XXX Very expensive mainline case! Open, then getfileinfo! */ |
||||||
|
--- httpd-2.4.51/modules/generators/mod_cgid.c.r1892413+ |
||||||
|
+++ httpd-2.4.51/modules/generators/mod_cgid.c |
||||||
|
@@ -1190,11 +1190,10 @@ |
||||||
|
apr_file_t *f = NULL; |
||||||
|
struct stat finfo; |
||||||
|
char time_str[APR_CTIME_LEN]; |
||||||
|
- int log_flags = rv ? APLOG_ERR : APLOG_ERR; |
||||||
|
|
||||||
|
/* Intentional no APLOGNO */ |
||||||
|
/* Callee provides APLOGNO in error text */ |
||||||
|
- ap_log_rerror(APLOG_MARK, log_flags, rv, r, |
||||||
|
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r, |
||||||
|
"%s: %s", error, r->filename); |
||||||
|
|
||||||
|
/* XXX Very expensive mainline case! Open, then getfileinfo! */ |
||||||
|
--- httpd-2.4.51/server/mpm_unix.c.r1892413+ |
||||||
|
+++ httpd-2.4.51/server/mpm_unix.c |
||||||
|
@@ -259,10 +259,12 @@ |
||||||
|
while (cur_extra) { |
||||||
|
ap_generation_t old_gen; |
||||||
|
extra_process_t *next = cur_extra->next; |
||||||
|
+ pid_t pid = cur_extra->pid; |
||||||
|
|
||||||
|
- if (reclaim_one_pid(cur_extra->pid, action_table[cur_action].action)) { |
||||||
|
- if (ap_unregister_extra_mpm_process(cur_extra->pid, &old_gen) == 1) { |
||||||
|
- mpm_callback(-1, cur_extra->pid, old_gen); |
||||||
|
+ if (reclaim_one_pid(pid, action_table[cur_action].action)) { |
||||||
|
+ if (ap_unregister_extra_mpm_process(pid, &old_gen) == 1) { |
||||||
|
+ /* cur_extra dangling pointer from here. */ |
||||||
|
+ mpm_callback(-1, pid, old_gen); |
||||||
|
} |
||||||
|
else { |
||||||
|
AP_DEBUG_ASSERT(1 == 0); |
||||||
|
@@ -307,10 +309,12 @@ |
||||||
|
while (cur_extra) { |
||||||
|
ap_generation_t old_gen; |
||||||
|
extra_process_t *next = cur_extra->next; |
||||||
|
+ pid_t pid = cur_extra->pid; |
||||||
|
|
||||||
|
- if (reclaim_one_pid(cur_extra->pid, DO_NOTHING)) { |
||||||
|
- if (ap_unregister_extra_mpm_process(cur_extra->pid, &old_gen) == 1) { |
||||||
|
- mpm_callback(-1, cur_extra->pid, old_gen); |
||||||
|
+ if (reclaim_one_pid(pid, DO_NOTHING)) { |
||||||
|
+ if (ap_unregister_extra_mpm_process(pid, &old_gen) == 1) { |
||||||
|
+ /* cur_extra dangling pointer from here. */ |
||||||
|
+ mpm_callback(-1, pid, old_gen); |
||||||
|
} |
||||||
|
else { |
||||||
|
AP_DEBUG_ASSERT(1 == 0); |
@ -0,0 +1,45 @@ |
|||||||
|
diff --git a/Makefile.in b/Makefile.in |
||||||
|
index a2e9c82..bd8045c 100644 |
||||||
|
--- a/Makefile.in |
||||||
|
+++ b/Makefile.in |
||||||
|
@@ -4,7 +4,7 @@ CLEAN_SUBDIRS = test |
||||||
|
|
||||||
|
PROGRAM_NAME = $(progname) |
||||||
|
PROGRAM_SOURCES = modules.c |
||||||
|
-PROGRAM_LDADD = buildmark.o $(HTTPD_LDFLAGS) $(PROGRAM_DEPENDENCIES) $(PCRE_LIBS) $(EXTRA_LIBS) $(AP_LIBS) $(LIBS) |
||||||
|
+PROGRAM_LDADD = buildmark.o $(HTTPD_LDFLAGS) $(PROGRAM_DEPENDENCIES) $(HTTPD_LIBS) $(EXTRA_LIBS) $(AP_LIBS) $(LIBS) |
||||||
|
PROGRAM_PRELINK = $(COMPILE) -c $(top_srcdir)/server/buildmark.c |
||||||
|
PROGRAM_DEPENDENCIES = \ |
||||||
|
server/libmain.la \ |
||||||
|
diff --git a/acinclude.m4 b/acinclude.m4 |
||||||
|
index 97484c9..05abe18 100644 |
||||||
|
--- a/acinclude.m4 |
||||||
|
+++ b/acinclude.m4 |
||||||
|
@@ -631,6 +631,7 @@ case $host in |
||||||
|
if test "${ac_cv_header_systemd_sd_daemon_h}" = "no" || test -z "${SYSTEMD_LIBS}"; then |
||||||
|
AC_MSG_WARN([Your system does not support systemd.]) |
||||||
|
else |
||||||
|
+ APR_ADDTO(HTTPD_LIBS, [$SYSTEMD_LIBS]) |
||||||
|
AC_DEFINE(HAVE_SYSTEMD, 1, [Define if systemd is supported]) |
||||||
|
fi |
||||||
|
fi |
||||||
|
diff --git a/configure.in b/configure.in |
||||||
|
index cf437fe..521fc45 100644 |
||||||
|
--- a/configure.in |
||||||
|
+++ b/configure.in |
||||||
|
@@ -239,6 +239,7 @@ if test "x$PCRE_CONFIG" != "x"; then |
||||||
|
AC_MSG_NOTICE([Using external PCRE library from $PCRE_CONFIG]) |
||||||
|
APR_ADDTO(PCRE_INCLUDES, [`$PCRE_CONFIG --cflags`]) |
||||||
|
APR_ADDTO(PCRE_LIBS, [`$PCRE_CONFIG --libs8 2>/dev/null || $PCRE_CONFIG --libs`]) |
||||||
|
+ APR_ADDTO(HTTPD_LIBS, [\$(PCRE_LIBS)]) |
||||||
|
else |
||||||
|
AC_MSG_ERROR([pcre(2)-config for libpcre not found. PCRE is required and available from http://pcre.org/]) |
||||||
|
fi |
||||||
|
@@ -734,6 +735,7 @@ APACHE_SUBST(OS_DIR) |
||||||
|
APACHE_SUBST(BUILTIN_LIBS) |
||||||
|
APACHE_SUBST(SHLIBPATH_VAR) |
||||||
|
APACHE_SUBST(OS_SPECIFIC_VARS) |
||||||
|
+APACHE_SUBST(HTTPD_LIBS) |
||||||
|
|
||||||
|
PRE_SHARED_CMDS='echo ""' |
||||||
|
POST_SHARED_CMDS='echo ""' |
@ -0,0 +1,49 @@ |
|||||||
|
diff --git a/docs/conf/extra/httpd-autoindex.conf.in b/docs/conf/extra/httpd-autoindex.conf.in |
||||||
|
index 51b02ed..93a2b87 100644 |
||||||
|
--- a/docs/conf/extra/httpd-autoindex.conf.in |
||||||
|
+++ b/docs/conf/extra/httpd-autoindex.conf.in |
||||||
|
@@ -21,7 +21,7 @@ IndexOptions FancyIndexing HTMLTable VersionSort |
||||||
|
Alias /icons/ "@exp_iconsdir@/" |
||||||
|
|
||||||
|
<Directory "@exp_iconsdir@"> |
||||||
|
- Options Indexes MultiViews |
||||||
|
+ Options Indexes MultiViews FollowSymlinks |
||||||
|
AllowOverride None |
||||||
|
Require all granted |
||||||
|
</Directory> |
||||||
|
@@ -37,6 +37,7 @@ AddIconByType (TXT,/icons/text.gif) text/* |
||||||
|
AddIconByType (IMG,/icons/image2.gif) image/* |
||||||
|
AddIconByType (SND,/icons/sound2.gif) audio/* |
||||||
|
AddIconByType (VID,/icons/movie.gif) video/* |
||||||
|
+AddIconByType /icons/bomb.gif application/x-coredump |
||||||
|
|
||||||
|
AddIcon /icons/binary.gif .bin .exe |
||||||
|
AddIcon /icons/binhex.gif .hqx |
||||||
|
@@ -53,7 +54,6 @@ AddIcon /icons/dvi.gif .dvi |
||||||
|
AddIcon /icons/uuencoded.gif .uu |
||||||
|
AddIcon /icons/script.gif .conf .sh .shar .csh .ksh .tcl |
||||||
|
AddIcon /icons/tex.gif .tex |
||||||
|
-AddIcon /icons/bomb.gif core |
||||||
|
|
||||||
|
AddIcon /icons/back.gif .. |
||||||
|
AddIcon /icons/hand.right.gif README |
||||||
|
diff --git a/docs/conf/magic b/docs/conf/magic |
||||||
|
index bc891d9..9a41b44 100644 |
||||||
|
--- a/docs/conf/magic |
||||||
|
+++ b/docs/conf/magic |
||||||
|
@@ -383,3 +383,15 @@ |
||||||
|
4 string moov video/quicktime |
||||||
|
4 string mdat video/quicktime |
||||||
|
|
||||||
|
+ |
||||||
|
+#------------------------------------------------------------------------------ |
||||||
|
+# application/x-coredump for LE/BE ELF |
||||||
|
+# |
||||||
|
+0 string \177ELF |
||||||
|
+>5 byte 1 |
||||||
|
+>16 leshort 4 application/x-coredump |
||||||
|
+ |
||||||
|
+0 string \177ELF |
||||||
|
+>5 byte 2 |
||||||
|
+>16 beshort 4 application/x-coredump |
||||||
|
+ |
@ -0,0 +1,116 @@ |
|||||||
|
diff --git a/include/util_ldap.h b/include/util_ldap.h |
||||||
|
index 28e0760..edb8a81 100644 |
||||||
|
--- a/include/util_ldap.h |
||||||
|
+++ b/include/util_ldap.h |
||||||
|
@@ -32,7 +32,6 @@ |
||||||
|
#if APR_MAJOR_VERSION < 2 |
||||||
|
/* The LDAP API is currently only present in APR 1.x */ |
||||||
|
#include "apr_ldap.h" |
||||||
|
-#include "apr_ldap_rebind.h" |
||||||
|
#else |
||||||
|
#define APR_HAS_LDAP 0 |
||||||
|
#endif |
||||||
|
diff --git a/modules/ldap/util_ldap.c b/modules/ldap/util_ldap.c |
||||||
|
index 4d92ec9..864bd62 100644 |
||||||
|
--- a/modules/ldap/util_ldap.c |
||||||
|
+++ b/modules/ldap/util_ldap.c |
||||||
|
@@ -154,6 +154,38 @@ static int util_ldap_handler(request_rec *r) |
||||||
|
return OK; |
||||||
|
} |
||||||
|
|
||||||
|
+/* For OpenLDAP with the 3-arg version of ldap_set_rebind_proc(), use |
||||||
|
+ * a simpler rebind callback than the implementation in APR-util. |
||||||
|
+ * Testing for API version >= 3001 appears safe although OpenLDAP |
||||||
|
+ * 2.1.x (API version = 2004) also has the 3-arg API. */ |
||||||
|
+#if APR_HAS_OPENLDAP_LDAPSDK && defined(LDAP_API_VERSION) && LDAP_API_VERSION >= 3001 |
||||||
|
+ |
||||||
|
+#define uldap_rebind_init(p) APR_SUCCESS /* noop */ |
||||||
|
+ |
||||||
|
+static int uldap_rebind_proc(LDAP *ld, const char *url, ber_tag_t request, |
||||||
|
+ ber_int_t msgid, void *params) |
||||||
|
+{ |
||||||
|
+ util_ldap_connection_t *ldc = params; |
||||||
|
+ |
||||||
|
+ return ldap_bind_s(ld, ldc->binddn, ldc->bindpw, LDAP_AUTH_SIMPLE); |
||||||
|
+} |
||||||
|
+ |
||||||
|
+static apr_status_t uldap_rebind_add(util_ldap_connection_t *ldc) |
||||||
|
+{ |
||||||
|
+ ldap_set_rebind_proc(ldc->ldap, uldap_rebind_proc, ldc); |
||||||
|
+ return APR_SUCCESS; |
||||||
|
+} |
||||||
|
+ |
||||||
|
+#else /* !APR_HAS_OPENLDAP_LDAPSDK */ |
||||||
|
+ |
||||||
|
+#define USE_APR_LDAP_REBIND |
||||||
|
+#include <apr_ldap_rebind.h> |
||||||
|
+ |
||||||
|
+#define uldap_rebind_init(p) apr_ldap_rebind_init(p) |
||||||
|
+#define uldap_rebind_add(ldc) apr_ldap_rebind_add((ldc)->rebind_pool, \ |
||||||
|
+ (ldc)->ldap, (ldc)->binddn, \ |
||||||
|
+ (ldc)->bindpw) |
||||||
|
+#endif |
||||||
|
|
||||||
|
|
||||||
|
/* ------------------------------------------------------------------ */ |
||||||
|
@@ -195,6 +227,13 @@ static apr_status_t uldap_connection_unbind(void *param) |
||||||
|
util_ldap_connection_t *ldc = param; |
||||||
|
|
||||||
|
if (ldc) { |
||||||
|
+#ifdef USE_APR_LDAP_REBIND |
||||||
|
+ /* forget the rebind info for this conn */ |
||||||
|
+ if (ldc->ChaseReferrals == AP_LDAP_CHASEREFERRALS_ON) { |
||||||
|
+ apr_pool_clear(ldc->rebind_pool); |
||||||
|
+ } |
||||||
|
+#endif |
||||||
|
+ |
||||||
|
if (ldc->ldap) { |
||||||
|
if (ldc->r) { |
||||||
|
ap_log_rerror(APLOG_MARK, APLOG_TRACE5, 0, ldc->r, "LDC %pp unbind", ldc); |
||||||
|
@@ -203,12 +242,6 @@ static apr_status_t uldap_connection_unbind(void *param) |
||||||
|
ldc->ldap = NULL; |
||||||
|
} |
||||||
|
ldc->bound = 0; |
||||||
|
- |
||||||
|
- /* forget the rebind info for this conn */ |
||||||
|
- if (ldc->ChaseReferrals == AP_LDAP_CHASEREFERRALS_ON) { |
||||||
|
- apr_ldap_rebind_remove(ldc->ldap); |
||||||
|
- apr_pool_clear(ldc->rebind_pool); |
||||||
|
- } |
||||||
|
} |
||||||
|
|
||||||
|
return APR_SUCCESS; |
||||||
|
@@ -344,7 +377,7 @@ static int uldap_connection_init(request_rec *r, |
||||||
|
|
||||||
|
if (ldc->ChaseReferrals == AP_LDAP_CHASEREFERRALS_ON) { |
||||||
|
/* Now that we have an ldap struct, add it to the referral list for rebinds. */ |
||||||
|
- rc = apr_ldap_rebind_add(ldc->rebind_pool, ldc->ldap, ldc->binddn, ldc->bindpw); |
||||||
|
+ rc = uldap_rebind_add(ldc); |
||||||
|
if (rc != APR_SUCCESS) { |
||||||
|
ap_log_error(APLOG_MARK, APLOG_ERR, rc, r->server, APLOGNO(01277) |
||||||
|
"LDAP: Unable to add rebind cross reference entry. Out of memory?"); |
||||||
|
@@ -870,6 +903,7 @@ static util_ldap_connection_t * |
||||||
|
/* whether or not to keep this connection in the pool when it's returned */ |
||||||
|
l->keep = (st->connection_pool_ttl == 0) ? 0 : 1; |
||||||
|
|
||||||
|
+#ifdef USE_APR_LDAP_REBIND |
||||||
|
if (l->ChaseReferrals == AP_LDAP_CHASEREFERRALS_ON) { |
||||||
|
if (apr_pool_create(&(l->rebind_pool), l->pool) != APR_SUCCESS) { |
||||||
|
ap_log_rerror(APLOG_MARK, APLOG_CRIT, 0, r, APLOGNO(01286) |
||||||
|
@@ -881,6 +915,7 @@ static util_ldap_connection_t * |
||||||
|
} |
||||||
|
apr_pool_tag(l->rebind_pool, "util_ldap_rebind"); |
||||||
|
} |
||||||
|
+#endif |
||||||
|
|
||||||
|
if (p) { |
||||||
|
p->next = l; |
||||||
|
@@ -3068,7 +3103,7 @@ static int util_ldap_post_config(apr_pool_t *p, apr_pool_t *plog, |
||||||
|
} |
||||||
|
|
||||||
|
/* Initialize the rebind callback's cross reference list. */ |
||||||
|
- apr_ldap_rebind_init (p); |
||||||
|
+ (void) uldap_rebind_init(p); |
||||||
|
|
||||||
|
#ifdef AP_LDAP_OPT_DEBUG |
||||||
|
if (st->debug_level > 0) { |
@ -0,0 +1,286 @@ |
|||||||
|
diff --git a/acinclude.m4 b/acinclude.m4 |
||||||
|
index 05abe18..97484c9 100644 |
||||||
|
--- a/acinclude.m4 |
||||||
|
+++ b/acinclude.m4 |
||||||
|
@@ -631,7 +631,6 @@ case $host in |
||||||
|
if test "${ac_cv_header_systemd_sd_daemon_h}" = "no" || test -z "${SYSTEMD_LIBS}"; then |
||||||
|
AC_MSG_WARN([Your system does not support systemd.]) |
||||||
|
else |
||||||
|
- APR_ADDTO(HTTPD_LIBS, [$SYSTEMD_LIBS]) |
||||||
|
AC_DEFINE(HAVE_SYSTEMD, 1, [Define if systemd is supported]) |
||||||
|
fi |
||||||
|
fi |
||||||
|
diff --git a/include/ap_listen.h b/include/ap_listen.h |
||||||
|
index 58c2574..d5ed968 100644 |
||||||
|
--- a/include/ap_listen.h |
||||||
|
+++ b/include/ap_listen.h |
||||||
|
@@ -29,6 +29,7 @@ |
||||||
|
#include "apr_network_io.h" |
||||||
|
#include "httpd.h" |
||||||
|
#include "http_config.h" |
||||||
|
+#include "apr_optional.h" |
||||||
|
|
||||||
|
#ifdef __cplusplus |
||||||
|
extern "C" { |
||||||
|
@@ -143,6 +144,15 @@ AP_DECLARE_NONSTD(const char *) ap_set_receive_buffer_size(cmd_parms *cmd, |
||||||
|
void *dummy, |
||||||
|
const char *arg); |
||||||
|
|
||||||
|
+#ifdef HAVE_SYSTEMD |
||||||
|
+APR_DECLARE_OPTIONAL_FN(int, |
||||||
|
+ ap_find_systemd_socket, (process_rec *, apr_port_t)); |
||||||
|
+ |
||||||
|
+APR_DECLARE_OPTIONAL_FN(int, |
||||||
|
+ ap_systemd_listen_fds, (int)); |
||||||
|
+#endif |
||||||
|
+ |
||||||
|
+ |
||||||
|
#define LISTEN_COMMANDS \ |
||||||
|
AP_INIT_TAKE1("ListenBacklog", ap_set_listenbacklog, NULL, RSRC_CONF, \ |
||||||
|
"Maximum length of the queue of pending connections, as used by listen(2)"), \ |
||||||
|
diff --git a/modules/arch/unix/mod_systemd.c b/modules/arch/unix/mod_systemd.c |
||||||
|
index eda1272..fc059fc 100644 |
||||||
|
--- a/modules/arch/unix/mod_systemd.c |
||||||
|
+++ b/modules/arch/unix/mod_systemd.c |
||||||
|
@@ -35,6 +35,15 @@ |
||||||
|
#include <unistd.h> |
||||||
|
#endif |
||||||
|
|
||||||
|
+APR_DECLARE_OPTIONAL_FN(int, |
||||||
|
+ ap_find_systemd_socket, (process_rec *, apr_port_t)); |
||||||
|
+ |
||||||
|
+APR_DECLARE_OPTIONAL_FN(int, |
||||||
|
+ ap_systemd_listen_fds, (int)); |
||||||
|
+ |
||||||
|
+APR_DECLARE_OPTIONAL_FN(int, |
||||||
|
+ ap_systemd_journal_stream_fd, (const char *, int, int)); |
||||||
|
+ |
||||||
|
static char describe_listeners[30]; |
||||||
|
|
||||||
|
static int systemd_pre_config(apr_pool_t *pconf, apr_pool_t *plog, |
||||||
|
@@ -145,8 +154,47 @@ static int systemd_monitor(apr_pool_t *p, server_rec *s) |
||||||
|
return DECLINED; |
||||||
|
} |
||||||
|
|
||||||
|
+static int ap_find_systemd_socket(process_rec * process, apr_port_t port) { |
||||||
|
+ int fdcount, fd; |
||||||
|
+ int sdc = sd_listen_fds(0); |
||||||
|
+ |
||||||
|
+ if (sdc < 0) { |
||||||
|
+ ap_log_perror(APLOG_MARK, APLOG_CRIT, sdc, process->pool, APLOGNO(02486) |
||||||
|
+ "find_systemd_socket: Error parsing enviroment, sd_listen_fds returned %d", |
||||||
|
+ sdc); |
||||||
|
+ return -1; |
||||||
|
+ } |
||||||
|
+ |
||||||
|
+ if (sdc == 0) { |
||||||
|
+ ap_log_perror(APLOG_MARK, APLOG_CRIT, sdc, process->pool, APLOGNO(02487) |
||||||
|
+ "find_systemd_socket: At least one socket must be set."); |
||||||
|
+ return -1; |
||||||
|
+ } |
||||||
|
+ |
||||||
|
+ fdcount = atoi(getenv("LISTEN_FDS")); |
||||||
|
+ for (fd = SD_LISTEN_FDS_START; fd < SD_LISTEN_FDS_START + fdcount; fd++) { |
||||||
|
+ if (sd_is_socket_inet(fd, 0, 0, -1, port) > 0) { |
||||||
|
+ return fd; |
||||||
|
+ } |
||||||
|
+ } |
||||||
|
+ |
||||||
|
+ return -1; |
||||||
|
+} |
||||||
|
+ |
||||||
|
+static int ap_systemd_listen_fds(int unset_environment){ |
||||||
|
+ return sd_listen_fds(unset_environment); |
||||||
|
+} |
||||||
|
+ |
||||||
|
+static int ap_systemd_journal_stream_fd(const char *identifier, int priority, int level_prefix){ |
||||||
|
+ return sd_journal_stream_fd("httpd", priority, 0); |
||||||
|
+} |
||||||
|
+ |
||||||
|
static void systemd_register_hooks(apr_pool_t *p) |
||||||
|
{ |
||||||
|
+ APR_REGISTER_OPTIONAL_FN(ap_systemd_listen_fds); |
||||||
|
+ APR_REGISTER_OPTIONAL_FN(ap_find_systemd_socket); |
||||||
|
+ APR_REGISTER_OPTIONAL_FN(ap_systemd_journal_stream_fd); |
||||||
|
+ |
||||||
|
/* Enable ap_extended_status. */ |
||||||
|
ap_hook_pre_config(systemd_pre_config, NULL, NULL, APR_HOOK_LAST); |
||||||
|
/* Signal service is ready. */ |
||||||
|
diff --git a/modules/loggers/config.m4 b/modules/loggers/config.m4 |
||||||
|
index 0848d2e..8af2299 100644 |
||||||
|
--- a/modules/loggers/config.m4 |
||||||
|
+++ b/modules/loggers/config.m4 |
||||||
|
@@ -5,7 +5,6 @@ dnl APACHE_MODULE(name, helptext[, objects[, structname[, default[, config]]]]) |
||||||
|
APACHE_MODPATH_INIT(loggers) |
||||||
|
|
||||||
|
APACHE_MODULE(log_config, logging configuration. You won't be able to log requests to the server without this module., , , yes) |
||||||
|
-APR_ADDTO(MOD_LOG_CONFIG_LDADD, [$SYSTEMD_LIBS]) |
||||||
|
|
||||||
|
APACHE_MODULE(log_debug, configurable debug logging, , , most) |
||||||
|
APACHE_MODULE(log_forensic, forensic logging) |
||||||
|
diff --git a/modules/loggers/mod_log_config.c b/modules/loggers/mod_log_config.c |
||||||
|
index 0b11f60..c3f0a51 100644 |
||||||
|
--- a/modules/loggers/mod_log_config.c |
||||||
|
+++ b/modules/loggers/mod_log_config.c |
||||||
|
@@ -172,10 +172,6 @@ |
||||||
|
#include <limits.h> |
||||||
|
#endif |
||||||
|
|
||||||
|
-#ifdef HAVE_SYSTEMD |
||||||
|
-#include <systemd/sd-journal.h> |
||||||
|
-#endif |
||||||
|
- |
||||||
|
#define DEFAULT_LOG_FORMAT "%h %l %u %t \"%r\" %>s %b" |
||||||
|
|
||||||
|
module AP_MODULE_DECLARE_DATA log_config_module; |
||||||
|
@@ -1640,8 +1636,15 @@ static apr_status_t wrap_journal_stream(apr_pool_t *p, apr_file_t **outfd, |
||||||
|
{ |
||||||
|
#ifdef HAVE_SYSTEMD |
||||||
|
int fd; |
||||||
|
+ APR_OPTIONAL_FN_TYPE(ap_systemd_journal_stream_fd) *systemd_journal_stream_fd; |
||||||
|
+ |
||||||
|
+ systemd_journal_stream_fd = APR_RETRIEVE_OPTIONAL_FN(ap_systemd_journal_stream_fd); |
||||||
|
+ if (systemd_journal_stream_fd == NULL) { |
||||||
|
+ return APR_ENOTIMPL; |
||||||
|
+ } |
||||||
|
|
||||||
|
- fd = sd_journal_stream_fd("httpd", priority, 0); |
||||||
|
+ fd = systemd_journal_stream_fd("httpd", priority, 0); |
||||||
|
+ |
||||||
|
if (fd < 0) return fd; |
||||||
|
|
||||||
|
/* This is an AF_UNIX socket fd so is more pipe-like than |
||||||
|
diff --git a/modules/loggers/mod_log_config.h b/modules/loggers/mod_log_config.h |
||||||
|
index 877a593..bd52a98 100644 |
||||||
|
--- a/modules/loggers/mod_log_config.h |
||||||
|
+++ b/modules/loggers/mod_log_config.h |
||||||
|
@@ -69,6 +69,10 @@ APR_DECLARE_OPTIONAL_FN(ap_log_writer_init*, ap_log_set_writer_init,(ap_log_writ |
||||||
|
*/ |
||||||
|
APR_DECLARE_OPTIONAL_FN(ap_log_writer*, ap_log_set_writer, (ap_log_writer* func)); |
||||||
|
|
||||||
|
+#ifdef HAVE_SYSTEMD |
||||||
|
+APR_DECLARE_OPTIONAL_FN(int, ap_systemd_journal_stream_fd, (const char *, int, int)); |
||||||
|
+#endif |
||||||
|
+ |
||||||
|
#endif /* MOD_LOG_CONFIG */ |
||||||
|
/** @} */ |
||||||
|
|
||||||
|
diff --git a/server/listen.c b/server/listen.c |
||||||
|
index e2e028a..5d1c0e1 100644 |
||||||
|
--- a/server/listen.c |
||||||
|
+++ b/server/listen.c |
||||||
|
@@ -34,10 +34,6 @@ |
||||||
|
#include <unistd.h> |
||||||
|
#endif |
||||||
|
|
||||||
|
-#ifdef HAVE_SYSTEMD |
||||||
|
-#include <systemd/sd-daemon.h> |
||||||
|
-#endif |
||||||
|
- |
||||||
|
/* we know core's module_index is 0 */ |
||||||
|
#undef APLOG_MODULE_INDEX |
||||||
|
#define APLOG_MODULE_INDEX AP_CORE_MODULE_INDEX |
||||||
|
@@ -325,34 +321,6 @@ static int find_listeners(ap_listen_rec **from, ap_listen_rec **to, |
||||||
|
} |
||||||
|
|
||||||
|
#ifdef HAVE_SYSTEMD |
||||||
|
- |
||||||
|
-static int find_systemd_socket(process_rec * process, apr_port_t port) { |
||||||
|
- int fdcount, fd; |
||||||
|
- int sdc = sd_listen_fds(0); |
||||||
|
- |
||||||
|
- if (sdc < 0) { |
||||||
|
- ap_log_perror(APLOG_MARK, APLOG_CRIT, sdc, process->pool, APLOGNO(02486) |
||||||
|
- "find_systemd_socket: Error parsing enviroment, sd_listen_fds returned %d", |
||||||
|
- sdc); |
||||||
|
- return -1; |
||||||
|
- } |
||||||
|
- |
||||||
|
- if (sdc == 0) { |
||||||
|
- ap_log_perror(APLOG_MARK, APLOG_CRIT, sdc, process->pool, APLOGNO(02487) |
||||||
|
- "find_systemd_socket: At least one socket must be set."); |
||||||
|
- return -1; |
||||||
|
- } |
||||||
|
- |
||||||
|
- fdcount = atoi(getenv("LISTEN_FDS")); |
||||||
|
- for (fd = SD_LISTEN_FDS_START; fd < SD_LISTEN_FDS_START + fdcount; fd++) { |
||||||
|
- if (sd_is_socket_inet(fd, 0, 0, -1, port) > 0) { |
||||||
|
- return fd; |
||||||
|
- } |
||||||
|
- } |
||||||
|
- |
||||||
|
- return -1; |
||||||
|
-} |
||||||
|
- |
||||||
|
static apr_status_t alloc_systemd_listener(process_rec * process, |
||||||
|
int fd, const char *proto, |
||||||
|
ap_listen_rec **out_rec) |
||||||
|
@@ -412,6 +380,14 @@ static const char *set_systemd_listener(process_rec *process, apr_port_t port, |
||||||
|
{ |
||||||
|
ap_listen_rec *last, *new; |
||||||
|
apr_status_t rv; |
||||||
|
+ APR_OPTIONAL_FN_TYPE(ap_find_systemd_socket) *find_systemd_socket; |
||||||
|
+ |
||||||
|
+ find_systemd_socket = APR_RETRIEVE_OPTIONAL_FN(ap_find_systemd_socket); |
||||||
|
+ |
||||||
|
+ if (!find_systemd_socket) |
||||||
|
+ return "Systemd socket activation is used, but mod_systemd is probably " |
||||||
|
+ "not loaded"; |
||||||
|
+ |
||||||
|
int fd = find_systemd_socket(process, port); |
||||||
|
if (fd < 0) { |
||||||
|
return "Systemd socket activation is used, but this port is not " |
||||||
|
@@ -438,7 +414,6 @@ static const char *set_systemd_listener(process_rec *process, apr_port_t port, |
||||||
|
|
||||||
|
return NULL; |
||||||
|
} |
||||||
|
- |
||||||
|
#endif /* HAVE_SYSTEMD */ |
||||||
|
|
||||||
|
static const char *alloc_listener(process_rec *process, const char *addr, |
||||||
|
@@ -707,6 +682,9 @@ AP_DECLARE(int) ap_setup_listeners(server_rec *s) |
||||||
|
int num_listeners = 0; |
||||||
|
const char* proto; |
||||||
|
int found; |
||||||
|
+#ifdef HAVE_SYSTEMD |
||||||
|
+ APR_OPTIONAL_FN_TYPE(ap_systemd_listen_fds) *systemd_listen_fds; |
||||||
|
+#endif |
||||||
|
|
||||||
|
for (ls = s; ls; ls = ls->next) { |
||||||
|
proto = ap_get_server_protocol(ls); |
||||||
|
@@ -746,7 +724,10 @@ AP_DECLARE(int) ap_setup_listeners(server_rec *s) |
||||||
|
apr_pool_cleanup_null, s->process->pool); |
||||||
|
} |
||||||
|
else { |
||||||
|
- sd_listen_fds(1); |
||||||
|
+ systemd_listen_fds = APR_RETRIEVE_OPTIONAL_FN(ap_systemd_listen_fds); |
||||||
|
+ if (systemd_listen_fds != NULL) { |
||||||
|
+ systemd_listen_fds(1); |
||||||
|
+ } |
||||||
|
} |
||||||
|
} |
||||||
|
else |
||||||
|
@@ -963,6 +944,9 @@ AP_DECLARE_NONSTD(const char *) ap_set_listener(cmd_parms *cmd, void *dummy, |
||||||
|
apr_port_t port; |
||||||
|
apr_status_t rv; |
||||||
|
const char *err = ap_check_cmd_context(cmd, GLOBAL_ONLY); |
||||||
|
+#ifdef HAVE_SYSTEMD |
||||||
|
+ APR_OPTIONAL_FN_TYPE(ap_systemd_listen_fds) *systemd_listen_fds; |
||||||
|
+#endif |
||||||
|
|
||||||
|
if (err != NULL) { |
||||||
|
return err; |
||||||
|
@@ -973,7 +957,12 @@ AP_DECLARE_NONSTD(const char *) ap_set_listener(cmd_parms *cmd, void *dummy, |
||||||
|
} |
||||||
|
#ifdef HAVE_SYSTEMD |
||||||
|
if (use_systemd == -1) { |
||||||
|
- use_systemd = sd_listen_fds(0) > 0; |
||||||
|
+ systemd_listen_fds = APR_RETRIEVE_OPTIONAL_FN(ap_systemd_listen_fds); |
||||||
|
+ if (systemd_listen_fds != NULL) { |
||||||
|
+ use_systemd = systemd_listen_fds(0) > 0; |
||||||
|
+ } else { |
||||||
|
+ use_systemd = 0; |
||||||
|
+ } |
||||||
|
} |
||||||
|
#endif |
||||||
|
|
@ -0,0 +1,11 @@ |
|||||||
|
--- a/modules/core/mod_macro.c 2023/10/16 06:19:16 1912992 |
||||||
|
+++ b/modules/core/mod_macro.c 2023/10/16 06:38:32 1912993 |
||||||
|
@@ -483,7 +483,7 @@ |
||||||
|
for (i = 0; i < contents->nelts; i++) { |
||||||
|
const char *errmsg; |
||||||
|
/* copy the line and substitute macro parameters */ |
||||||
|
- strncpy(line, ((char **) contents->elts)[i], MAX_STRING_LEN - 1); |
||||||
|
+ apr_cpystrn(line, ((char **) contents->elts)[i], MAX_STRING_LEN); |
||||||
|
errmsg = substitute_macro_args(line, MAX_STRING_LEN, |
||||||
|
macro, replacements, used); |
||||||
|
if (errmsg) { |
@ -0,0 +1,14 @@ |
|||||||
|
diff --git a/modules/mappers/mod_rewrite.c b/modules/mappers/mod_rewrite.c |
||||||
|
index f93f23f..4be51de 100644 |
||||||
|
--- a/modules/mappers/mod_rewrite.c |
||||||
|
+++ b/modules/mappers/mod_rewrite.c |
||||||
|
@@ -4758,8 +4758,8 @@ static int hook_uri2file(request_rec *r) |
||||||
|
} |
||||||
|
|
||||||
|
if (rulestatus) { |
||||||
|
- unsigned skip_absolute = is_absolute_uri(r->filename, NULL); |
||||||
|
apr_size_t flen = r->filename ? strlen(r->filename) : 0; |
||||||
|
+ unsigned skip_absolute = flen ? is_absolute_uri(r->filename, NULL) : 0; |
||||||
|
int to_proxyreq = (flen > 6 && strncmp(r->filename, "proxy:", 6) == 0); |
||||||
|
int will_escape = skip_absolute && (rulestatus != ACTION_NOESCAPE); |
||||||
|
|
@ -0,0 +1,51 @@ |
|||||||
|
--- httpd-2.4.57/modules/dav/fs/repos.c.davenoent |
||||||
|
+++ httpd-2.4.57/modules/dav/fs/repos.c |
||||||
|
@@ -35,6 +35,7 @@ |
||||||
|
#include "mod_dav.h" |
||||||
|
#include "repos.h" |
||||||
|
|
||||||
|
+APLOG_USE_MODULE(dav_fs); |
||||||
|
|
||||||
|
/* to assist in debugging mod_dav's GET handling */ |
||||||
|
#define DEBUG_GET_HANDLER 0 |
||||||
|
@@ -1586,6 +1587,19 @@ |
||||||
|
status = apr_stat(&fsctx->info1.finfo, fsctx->path1.buf, |
||||||
|
DAV_FINFO_MASK, pool); |
||||||
|
if (status != APR_SUCCESS && status != APR_INCOMPLETE) { |
||||||
|
+ dav_resource_private *ctx = params->root->info; |
||||||
|
+ |
||||||
|
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, status, ctx->r, |
||||||
|
+ APLOGNO(10472) "could not access file (%s) during directory walk", |
||||||
|
+ fsctx->path1.buf); |
||||||
|
+ |
||||||
|
+ /* If being tolerant, ignore failure due to losing a race |
||||||
|
+ * with some other process deleting files out from under |
||||||
|
+ * the directory walk. */ |
||||||
|
+ if ((params->walk_type & DAV_WALKTYPE_TOLERANT) |
||||||
|
+ && APR_STATUS_IS_ENOENT(status)) { |
||||||
|
+ continue; |
||||||
|
+ } |
||||||
|
/* woah! where'd it go? */ |
||||||
|
/* ### should have a better error here */ |
||||||
|
err = dav_new_error(pool, HTTP_NOT_FOUND, 0, status, NULL); |
||||||
|
--- httpd-2.4.57/modules/dav/main/mod_dav.c.davenoent |
||||||
|
+++ httpd-2.4.57/modules/dav/main/mod_dav.c |
||||||
|
@@ -2187,7 +2187,7 @@ |
||||||
|
return HTTP_BAD_REQUEST; |
||||||
|
} |
||||||
|
|
||||||
|
- ctx.w.walk_type = DAV_WALKTYPE_NORMAL | DAV_WALKTYPE_AUTH; |
||||||
|
+ ctx.w.walk_type = DAV_WALKTYPE_NORMAL | DAV_WALKTYPE_AUTH | DAV_WALKTYPE_TOLERANT; |
||||||
|
ctx.w.func = dav_propfind_walker; |
||||||
|
ctx.w.walk_ctx = &ctx; |
||||||
|
ctx.w.pool = r->pool; |
||||||
|
--- httpd-2.4.57/modules/dav/main/mod_dav.h.davenoent |
||||||
|
+++ httpd-2.4.57/modules/dav/main/mod_dav.h |
||||||
|
@@ -1823,6 +1823,7 @@ |
||||||
|
#define DAV_WALKTYPE_AUTH 0x0001 /* limit to authorized files */ |
||||||
|
#define DAV_WALKTYPE_NORMAL 0x0002 /* walk normal files */ |
||||||
|
#define DAV_WALKTYPE_LOCKNULL 0x0004 /* walk locknull resources */ |
||||||
|
+#define DAV_WALKTYPE_TOLERANT 0x0008 /* tolerate non-fatal errors */ |
||||||
|
|
||||||
|
/* callback function and a client context for the walk */ |
||||||
|
dav_error * (*func)(dav_walk_resource *wres, int calltype); |
@ -0,0 +1,81 @@ |
|||||||
|
diff --git a/configure.in b/configure.in |
||||||
|
index a3c994b..9a4351a 100644 |
||||||
|
--- a/configure.in |
||||||
|
+++ b/configure.in |
||||||
|
@@ -524,7 +524,8 @@ prctl \ |
||||||
|
timegm \ |
||||||
|
getpgid \ |
||||||
|
fopen64 \ |
||||||
|
-getloadavg |
||||||
|
+getloadavg \ |
||||||
|
+gettid |
||||||
|
) |
||||||
|
|
||||||
|
dnl confirm that a void pointer is large enough to store a long integer |
||||||
|
@@ -535,16 +536,19 @@ AC_CHECK_LIB(selinux, is_selinux_enabled, [ |
||||||
|
APR_ADDTO(HTTPD_LIBS, [-lselinux]) |
||||||
|
]) |
||||||
|
|
||||||
|
-AC_CACHE_CHECK([for gettid()], ac_cv_gettid, |
||||||
|
+if test $ac_cv_func_gettid = no; then |
||||||
|
+ # On Linux before glibc 2.30, gettid() is only usable via syscall() |
||||||
|
+ AC_CACHE_CHECK([for gettid() via syscall], ap_cv_gettid, |
||||||
|
[AC_TRY_RUN(#define _GNU_SOURCE |
||||||
|
#include <unistd.h> |
||||||
|
#include <sys/syscall.h> |
||||||
|
#include <sys/types.h> |
||||||
|
int main(int argc, char **argv) { |
||||||
|
pid_t t = syscall(SYS_gettid); return t == -1 ? 1 : 0; }, |
||||||
|
-[ac_cv_gettid=yes], [ac_cv_gettid=no], [ac_cv_gettid=no])]) |
||||||
|
-if test "$ac_cv_gettid" = "yes"; then |
||||||
|
- AC_DEFINE(HAVE_GETTID, 1, [Define if you have gettid()]) |
||||||
|
+ [ap_cv_gettid=yes], [ap_cv_gettid=no], [ap_cv_gettid=no])]) |
||||||
|
+ if test "$ap_cv_gettid" = "yes"; then |
||||||
|
+ AC_DEFINE(HAVE_SYS_GETTID, 1, [Define if you have gettid() via syscall()]) |
||||||
|
+ fi |
||||||
|
fi |
||||||
|
|
||||||
|
dnl ## Check for the tm_gmtoff field in struct tm to get the timezone diffs |
||||||
|
diff --git a/server/log.c b/server/log.c |
||||||
|
index cc04c38..ed3b920 100644 |
||||||
|
--- a/server/log.c |
||||||
|
+++ b/server/log.c |
||||||
|
@@ -55,7 +55,7 @@ |
||||||
|
#include "ap_mpm.h" |
||||||
|
#include "ap_listen.h" |
||||||
|
|
||||||
|
-#if HAVE_GETTID |
||||||
|
+#if HAVE_SYS_GETTID |
||||||
|
#include <sys/syscall.h> |
||||||
|
#include <sys/types.h> |
||||||
|
#endif |
||||||
|
@@ -627,14 +627,18 @@ static int log_tid(const ap_errorlog_info *info, const char *arg, |
||||||
|
#if APR_HAS_THREADS |
||||||
|
int result; |
||||||
|
#endif |
||||||
|
-#if HAVE_GETTID |
||||||
|
+#if defined(HAVE_GETTID) || defined(HAVE_SYS_GETTID) |
||||||
|
if (arg && *arg == 'g') { |
||||||
|
+#ifdef HAVE_GETTID |
||||||
|
+ pid_t tid = gettid(); |
||||||
|
+#else |
||||||
|
pid_t tid = syscall(SYS_gettid); |
||||||
|
+#endif |
||||||
|
if (tid == -1) |
||||||
|
return 0; |
||||||
|
return apr_snprintf(buf, buflen, "%"APR_PID_T_FMT, tid); |
||||||
|
} |
||||||
|
-#endif |
||||||
|
+#endif /* HAVE_GETTID || HAVE_SYS_GETTID */ |
||||||
|
#if APR_HAS_THREADS |
||||||
|
if (ap_mpm_query(AP_MPMQ_IS_THREADED, &result) == APR_SUCCESS |
||||||
|
&& result != AP_MPMQ_NOT_SUPPORTED) |
||||||
|
@@ -968,7 +972,7 @@ static int do_errorlog_default(const ap_errorlog_info *info, char *buf, |
||||||
|
#if APR_HAS_THREADS |
||||||
|
field_start = len; |
||||||
|
len += cpystrn(buf + len, ":tid ", buflen - len); |
||||||
|
- item_len = log_tid(info, NULL, buf + len, buflen - len); |
||||||
|
+ item_len = log_tid(info, "g", buf + len, buflen - len); |
||||||
|
if (!item_len) |
||||||
|
len = field_start; |
||||||
|
else |
@ -0,0 +1,170 @@ |
|||||||
|
commit af065bb14238c2877f16dc955f6db69579d45b03 |
||||||
|
Author: Tomas Korbar <tkorbar@redhat.com> |
||||||
|
Date: Thu Jul 20 09:48:17 2023 +0200 |
||||||
|
|
||||||
|
Fix duplicate presence of keys printed by mod_status |
||||||
|
|
||||||
|
diff --git a/modules/generators/mod_status.c b/modules/generators/mod_status.c |
||||||
|
index 5917953..5bada07 100644 |
||||||
|
--- a/modules/generators/mod_status.c |
||||||
|
+++ b/modules/generators/mod_status.c |
||||||
|
@@ -186,7 +186,8 @@ static int status_handler(request_rec *r) |
||||||
|
apr_uint32_t up_time; |
||||||
|
ap_loadavg_t t; |
||||||
|
int j, i, res, written; |
||||||
|
- int ready; |
||||||
|
+ int idle; |
||||||
|
+ int graceful; |
||||||
|
int busy; |
||||||
|
unsigned long count; |
||||||
|
unsigned long lres, my_lres, conn_lres; |
||||||
|
@@ -203,6 +204,7 @@ static int status_handler(request_rec *r) |
||||||
|
char *stat_buffer; |
||||||
|
pid_t *pid_buffer, worker_pid; |
||||||
|
int *thread_idle_buffer = NULL; |
||||||
|
+ int *thread_graceful_buffer = NULL; |
||||||
|
int *thread_busy_buffer = NULL; |
||||||
|
clock_t tu, ts, tcu, tcs; |
||||||
|
clock_t gu, gs, gcu, gcs; |
||||||
|
@@ -231,7 +233,8 @@ static int status_handler(request_rec *r) |
||||||
|
#endif |
||||||
|
#endif |
||||||
|
|
||||||
|
- ready = 0; |
||||||
|
+ idle = 0; |
||||||
|
+ graceful = 0; |
||||||
|
busy = 0; |
||||||
|
count = 0; |
||||||
|
bcount = 0; |
||||||
|
@@ -250,6 +253,7 @@ static int status_handler(request_rec *r) |
||||||
|
stat_buffer = apr_palloc(r->pool, server_limit * thread_limit * sizeof(char)); |
||||||
|
if (is_async) { |
||||||
|
thread_idle_buffer = apr_palloc(r->pool, server_limit * sizeof(int)); |
||||||
|
+ thread_graceful_buffer = apr_palloc(r->pool, server_limit * sizeof(int)); |
||||||
|
thread_busy_buffer = apr_palloc(r->pool, server_limit * sizeof(int)); |
||||||
|
} |
||||||
|
|
||||||
|
@@ -318,6 +322,7 @@ static int status_handler(request_rec *r) |
||||||
|
ps_record = ap_get_scoreboard_process(i); |
||||||
|
if (is_async) { |
||||||
|
thread_idle_buffer[i] = 0; |
||||||
|
+ thread_graceful_buffer[i] = 0; |
||||||
|
thread_busy_buffer[i] = 0; |
||||||
|
} |
||||||
|
for (j = 0; j < thread_limit; ++j) { |
||||||
|
@@ -336,18 +341,20 @@ static int status_handler(request_rec *r) |
||||||
|
&& ps_record->pid) { |
||||||
|
if (res == SERVER_READY) { |
||||||
|
if (ps_record->generation == mpm_generation) |
||||||
|
- ready++; |
||||||
|
+ idle++; |
||||||
|
if (is_async) |
||||||
|
thread_idle_buffer[i]++; |
||||||
|
} |
||||||
|
else if (res != SERVER_DEAD && |
||||||
|
res != SERVER_STARTING && |
||||||
|
res != SERVER_IDLE_KILL) { |
||||||
|
- busy++; |
||||||
|
- if (is_async) { |
||||||
|
- if (res == SERVER_GRACEFUL) |
||||||
|
- thread_idle_buffer[i]++; |
||||||
|
- else |
||||||
|
+ if (res == SERVER_GRACEFUL) { |
||||||
|
+ graceful++; |
||||||
|
+ if (is_async) |
||||||
|
+ thread_graceful_buffer[i]++; |
||||||
|
+ } else { |
||||||
|
+ busy++; |
||||||
|
+ if (is_async) |
||||||
|
thread_busy_buffer[i]++; |
||||||
|
} |
||||||
|
} |
||||||
|
@@ -548,10 +555,10 @@ static int status_handler(request_rec *r) |
||||||
|
} /* ap_extended_status */ |
||||||
|
|
||||||
|
if (!short_report) |
||||||
|
- ap_rprintf(r, "<dt>%d requests currently being processed, " |
||||||
|
- "%d idle workers</dt>\n", busy, ready); |
||||||
|
+ ap_rprintf(r, "<dt>%d requests currently being processed, %d workers gracefully restarting, " |
||||||
|
+ "%d idle workers</dt>\n", busy, graceful, idle); |
||||||
|
else |
||||||
|
- ap_rprintf(r, "BusyWorkers: %d\nIdleWorkers: %d\n", busy, ready); |
||||||
|
+ ap_rprintf(r, "BusyWorkers: %d\nGracefulWorkers: %d\nIdleWorkers: %d\n", busy, graceful, idle); |
||||||
|
|
||||||
|
if (!short_report) |
||||||
|
ap_rputs("</dl>", r); |
||||||
|
@@ -559,11 +566,6 @@ static int status_handler(request_rec *r) |
||||||
|
if (is_async) { |
||||||
|
int write_completion = 0, lingering_close = 0, keep_alive = 0, |
||||||
|
connections = 0, stopping = 0, procs = 0; |
||||||
|
- /* |
||||||
|
- * These differ from 'busy' and 'ready' in how gracefully finishing |
||||||
|
- * threads are counted. XXX: How to make this clear in the html? |
||||||
|
- */ |
||||||
|
- int busy_workers = 0, idle_workers = 0; |
||||||
|
if (!short_report) |
||||||
|
ap_rputs("\n\n<table rules=\"all\" cellpadding=\"1%\">\n" |
||||||
|
"<tr><th rowspan=\"2\">Slot</th>" |
||||||
|
@@ -573,7 +575,7 @@ static int status_handler(request_rec *r) |
||||||
|
"<th colspan=\"2\">Threads</th>" |
||||||
|
"<th colspan=\"3\">Async connections</th></tr>\n" |
||||||
|
"<tr><th>total</th><th>accepting</th>" |
||||||
|
- "<th>busy</th><th>idle</th>" |
||||||
|
+ "<th>busy</th><th>graceful</th><th>idle</th>" |
||||||
|
"<th>writing</th><th>keep-alive</th><th>closing</th></tr>\n", r); |
||||||
|
for (i = 0; i < server_limit; ++i) { |
||||||
|
ps_record = ap_get_scoreboard_process(i); |
||||||
|
@@ -582,8 +584,6 @@ static int status_handler(request_rec *r) |
||||||
|
write_completion += ps_record->write_completion; |
||||||
|
keep_alive += ps_record->keep_alive; |
||||||
|
lingering_close += ps_record->lingering_close; |
||||||
|
- busy_workers += thread_busy_buffer[i]; |
||||||
|
- idle_workers += thread_idle_buffer[i]; |
||||||
|
procs++; |
||||||
|
if (ps_record->quiescing) { |
||||||
|
stopping++; |
||||||
|
@@ -599,7 +599,7 @@ static int status_handler(request_rec *r) |
||||||
|
ap_rprintf(r, "<tr><td>%u</td><td>%" APR_PID_T_FMT "</td>" |
||||||
|
"<td>%s%s</td>" |
||||||
|
"<td>%u</td><td>%s</td>" |
||||||
|
- "<td>%u</td><td>%u</td>" |
||||||
|
+ "<td>%u</td><td>%u</td><td>%u</td>" |
||||||
|
"<td>%u</td><td>%u</td><td>%u</td>" |
||||||
|
"</tr>\n", |
||||||
|
i, ps_record->pid, |
||||||
|
@@ -607,6 +607,7 @@ static int status_handler(request_rec *r) |
||||||
|
ps_record->connections, |
||||||
|
ps_record->not_accepting ? "no" : "yes", |
||||||
|
thread_busy_buffer[i], |
||||||
|
+ thread_graceful_buffer[i], |
||||||
|
thread_idle_buffer[i], |
||||||
|
ps_record->write_completion, |
||||||
|
ps_record->keep_alive, |
||||||
|
@@ -618,25 +619,22 @@ static int status_handler(request_rec *r) |
||||||
|
ap_rprintf(r, "<tr><td>Sum</td>" |
||||||
|
"<td>%d</td><td>%d</td>" |
||||||
|
"<td>%d</td><td> </td>" |
||||||
|
- "<td>%d</td><td>%d</td>" |
||||||
|
+ "<td>%d</td><td>%d</td><td>%d</td>" |
||||||
|
"<td>%d</td><td>%d</td><td>%d</td>" |
||||||
|
"</tr>\n</table>\n", |
||||||
|
procs, stopping, |
||||||
|
connections, |
||||||
|
- busy_workers, idle_workers, |
||||||
|
+ busy, graceful, idle, |
||||||
|
write_completion, keep_alive, lingering_close); |
||||||
|
} |
||||||
|
else { |
||||||
|
ap_rprintf(r, "Processes: %d\n" |
||||||
|
"Stopping: %d\n" |
||||||
|
- "BusyWorkers: %d\n" |
||||||
|
- "IdleWorkers: %d\n" |
||||||
|
"ConnsTotal: %d\n" |
||||||
|
"ConnsAsyncWriting: %d\n" |
||||||
|
"ConnsAsyncKeepAlive: %d\n" |
||||||
|
"ConnsAsyncClosing: %d\n", |
||||||
|
procs, stopping, |
||||||
|
- busy_workers, idle_workers, |
||||||
|
connections, |
||||||
|
write_completion, keep_alive, lingering_close); |
||||||
|
} |
@ -0,0 +1,143 @@ |
|||||||
|
diff --git a/modules/proxy/mod_proxy.c b/modules/proxy/mod_proxy.c |
||||||
|
index 537c3c2..596320d 100644 |
||||||
|
--- a/modules/proxy/mod_proxy.c |
||||||
|
+++ b/modules/proxy/mod_proxy.c |
||||||
|
@@ -1460,11 +1460,20 @@ static int proxy_handler(request_rec *r) |
||||||
|
/* handle the scheme */ |
||||||
|
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01142) |
||||||
|
"Trying to run scheme_handler against proxy"); |
||||||
|
+ |
||||||
|
+ if (ents[i].creds) { |
||||||
|
+ apr_table_set(r->notes, "proxy-basic-creds", ents[i].creds); |
||||||
|
+ ap_log_rerror(APLOG_MARK, APLOG_TRACE1, 0, r, |
||||||
|
+ "Using proxy auth creds %s", ents[i].creds); |
||||||
|
+ } |
||||||
|
+ |
||||||
|
access_status = proxy_run_scheme_handler(r, worker, |
||||||
|
conf, url, |
||||||
|
ents[i].hostname, |
||||||
|
ents[i].port); |
||||||
|
|
||||||
|
+ if (ents[i].creds) apr_table_unset(r->notes, "proxy-basic-creds"); |
||||||
|
+ |
||||||
|
/* Did the scheme handler process the request? */ |
||||||
|
if (access_status != DECLINED) { |
||||||
|
const char *cl_a; |
||||||
|
@@ -1902,8 +1911,8 @@ static void *merge_proxy_dir_config(apr_pool_t *p, void *basev, void *addv) |
||||||
|
return new; |
||||||
|
} |
||||||
|
|
||||||
|
-static const char * |
||||||
|
- add_proxy(cmd_parms *cmd, void *dummy, const char *f1, const char *r1, int regex) |
||||||
|
+static const char *add_proxy(cmd_parms *cmd, void *dummy, const char *f1, |
||||||
|
+ const char *r1, const char *creds, int regex) |
||||||
|
{ |
||||||
|
server_rec *s = cmd->server; |
||||||
|
proxy_server_conf *conf = |
||||||
|
@@ -1961,19 +1970,24 @@ static const char * |
||||||
|
new->port = port; |
||||||
|
new->regexp = reg; |
||||||
|
new->use_regex = regex; |
||||||
|
+ if (creds) { |
||||||
|
+ new->creds = apr_pstrcat(cmd->pool, "Basic ", |
||||||
|
+ ap_pbase64encode(cmd->pool, (char *)creds), |
||||||
|
+ NULL); |
||||||
|
+ } |
||||||
|
return NULL; |
||||||
|
} |
||||||
|
|
||||||
|
-static const char * |
||||||
|
- add_proxy_noregex(cmd_parms *cmd, void *dummy, const char *f1, const char *r1) |
||||||
|
+static const char *add_proxy_noregex(cmd_parms *cmd, void *dummy, const char *f1, |
||||||
|
+ const char *r1, const char *creds) |
||||||
|
{ |
||||||
|
- return add_proxy(cmd, dummy, f1, r1, 0); |
||||||
|
+ return add_proxy(cmd, dummy, f1, r1, creds, 0); |
||||||
|
} |
||||||
|
|
||||||
|
-static const char * |
||||||
|
- add_proxy_regex(cmd_parms *cmd, void *dummy, const char *f1, const char *r1) |
||||||
|
+static const char *add_proxy_regex(cmd_parms *cmd, void *dummy, const char *f1, |
||||||
|
+ const char *r1, const char *creds) |
||||||
|
{ |
||||||
|
- return add_proxy(cmd, dummy, f1, r1, 1); |
||||||
|
+ return add_proxy(cmd, dummy, f1, r1, creds, 1); |
||||||
|
} |
||||||
|
|
||||||
|
PROXY_DECLARE(const char *) ap_proxy_de_socketfy(apr_pool_t *p, const char *url) |
||||||
|
@@ -3012,9 +3026,9 @@ static const command_rec proxy_cmds[] = |
||||||
|
"location, in regular expression syntax"), |
||||||
|
AP_INIT_FLAG("ProxyRequests", set_proxy_req, NULL, RSRC_CONF, |
||||||
|
"on if the true proxy requests should be accepted"), |
||||||
|
- AP_INIT_TAKE2("ProxyRemote", add_proxy_noregex, NULL, RSRC_CONF, |
||||||
|
+ AP_INIT_TAKE23("ProxyRemote", add_proxy_noregex, NULL, RSRC_CONF, |
||||||
|
"a scheme, partial URL or '*' and a proxy server"), |
||||||
|
- AP_INIT_TAKE2("ProxyRemoteMatch", add_proxy_regex, NULL, RSRC_CONF, |
||||||
|
+ AP_INIT_TAKE23("ProxyRemoteMatch", add_proxy_regex, NULL, RSRC_CONF, |
||||||
|
"a regex pattern and a proxy server"), |
||||||
|
AP_INIT_FLAG("ProxyPassInterpolateEnv", ap_set_flag_slot_char, |
||||||
|
(void*)APR_OFFSETOF(proxy_dir_conf, interpolate_env), |
||||||
|
diff --git a/modules/proxy/mod_proxy.h b/modules/proxy/mod_proxy.h |
||||||
|
index c51145e..eaf431d 100644 |
||||||
|
--- a/modules/proxy/mod_proxy.h |
||||||
|
+++ b/modules/proxy/mod_proxy.h |
||||||
|
@@ -121,6 +121,7 @@ struct proxy_remote { |
||||||
|
const char *protocol; /* the scheme used to talk to this proxy */ |
||||||
|
const char *hostname; /* the hostname of this proxy */ |
||||||
|
ap_regex_t *regexp; /* compiled regex (if any) for the remote */ |
||||||
|
+ const char *creds; /* auth credentials (if any) for the proxy */ |
||||||
|
int use_regex; /* simple boolean. True if we have a regex pattern */ |
||||||
|
apr_port_t port; /* the port for this proxy */ |
||||||
|
}; |
||||||
|
diff --git a/modules/proxy/proxy_util.c b/modules/proxy/proxy_util.c |
||||||
|
index caafde0..ea36465 100644 |
||||||
|
--- a/modules/proxy/proxy_util.c |
||||||
|
+++ b/modules/proxy/proxy_util.c |
||||||
|
@@ -2708,11 +2708,14 @@ ap_proxy_determine_connection(apr_pool_t *p, request_rec *r, |
||||||
|
* So let's make it configurable by env. |
||||||
|
* The logic here is the same used in mod_proxy_http. |
||||||
|
*/ |
||||||
|
- proxy_auth = apr_table_get(r->headers_in, "Proxy-Authorization"); |
||||||
|
+ proxy_auth = apr_table_get(r->notes, "proxy-basic-creds"); |
||||||
|
+ if (proxy_auth == NULL) |
||||||
|
+ proxy_auth = apr_table_get(r->headers_in, "Proxy-Authorization"); |
||||||
|
+ |
||||||
|
if (proxy_auth != NULL && |
||||||
|
proxy_auth[0] != '\0' && |
||||||
|
- r->user == NULL && /* we haven't yet authenticated */ |
||||||
|
- apr_table_get(r->subprocess_env, "Proxy-Chain-Auth")) { |
||||||
|
+ (r->user == NULL /* we haven't yet authenticated */ |
||||||
|
+ || apr_table_get(r->subprocess_env, "Proxy-Chain-Auth"))) { |
||||||
|
forward->proxy_auth = apr_pstrdup(conn->pool, proxy_auth); |
||||||
|
} |
||||||
|
} |
||||||
|
@@ -2948,7 +2951,8 @@ static apr_status_t send_http_connect(proxy_conn_rec *backend, |
||||||
|
nbytes = apr_snprintf(buffer, sizeof(buffer), |
||||||
|
"CONNECT %s:%d HTTP/1.0" CRLF, |
||||||
|
forward->target_host, forward->target_port); |
||||||
|
- /* Add proxy authorization from the initial request if necessary */ |
||||||
|
+ /* Add proxy authorization from the configuration, or initial |
||||||
|
+ * request if necessary */ |
||||||
|
if (forward->proxy_auth != NULL) { |
||||||
|
nbytes += apr_snprintf(buffer + nbytes, sizeof(buffer) - nbytes, |
||||||
|
"Proxy-Authorization: %s" CRLF, |
||||||
|
@@ -3909,6 +3913,7 @@ PROXY_DECLARE(int) ap_proxy_create_hdrbrgd(apr_pool_t *p, |
||||||
|
int force10 = 0, do_100_continue = 0; |
||||||
|
conn_rec *origin = p_conn->connection; |
||||||
|
const char *host, *val; |
||||||
|
+ const char *creds; |
||||||
|
proxy_dir_conf *dconf = ap_get_module_config(r->per_dir_config, &proxy_module); |
||||||
|
|
||||||
|
/* |
||||||
|
@@ -4131,6 +4136,11 @@ PROXY_DECLARE(int) ap_proxy_create_hdrbrgd(apr_pool_t *p, |
||||||
|
/* run hook to fixup the request we are about to send */ |
||||||
|
proxy_run_fixups(r); |
||||||
|
|
||||||
|
+ creds = apr_table_get(r->notes, "proxy-basic-creds"); |
||||||
|
+ if (creds) { |
||||||
|
+ apr_table_mergen(r->headers_in, "Proxy-Authorization", creds); |
||||||
|
+ } |
||||||
|
+ |
||||||
|
/* We used to send `Host: ` always first, so let's keep it that |
||||||
|
* way. No telling which legacy backend is relying on this. |
||||||
|
* If proxy_run_fixups() changed the value, use it (though removal |
@ -0,0 +1,99 @@ |
|||||||
|
diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c |
||||||
|
index 4e2e80d..10a2c86 100644 |
||||||
|
--- a/modules/ssl/ssl_engine_init.c |
||||||
|
+++ b/modules/ssl/ssl_engine_init.c |
||||||
|
@@ -2256,51 +2256,6 @@ int ssl_proxy_section_post_config(apr_pool_t *p, apr_pool_t *plog, |
||||||
|
return OK; |
||||||
|
} |
||||||
|
|
||||||
|
-static int ssl_init_FindCAList_X509NameCmp(const X509_NAME * const *a, |
||||||
|
- const X509_NAME * const *b) |
||||||
|
-{ |
||||||
|
- return(X509_NAME_cmp(*a, *b)); |
||||||
|
-} |
||||||
|
- |
||||||
|
-static void ssl_init_PushCAList(STACK_OF(X509_NAME) *ca_list, |
||||||
|
- server_rec *s, apr_pool_t *ptemp, |
||||||
|
- const char *file) |
||||||
|
-{ |
||||||
|
- int n; |
||||||
|
- STACK_OF(X509_NAME) *sk; |
||||||
|
- |
||||||
|
- sk = (STACK_OF(X509_NAME) *) |
||||||
|
- SSL_load_client_CA_file(file); |
||||||
|
- |
||||||
|
- if (!sk) { |
||||||
|
- return; |
||||||
|
- } |
||||||
|
- |
||||||
|
- for (n = 0; n < sk_X509_NAME_num(sk); n++) { |
||||||
|
- X509_NAME *name = sk_X509_NAME_value(sk, n); |
||||||
|
- |
||||||
|
- ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(02209) |
||||||
|
- "CA certificate: %s", |
||||||
|
- modssl_X509_NAME_to_string(ptemp, name, 0)); |
||||||
|
- |
||||||
|
- /* |
||||||
|
- * note that SSL_load_client_CA_file() checks for duplicates, |
||||||
|
- * but since we call it multiple times when reading a directory |
||||||
|
- * we must also check for duplicates ourselves. |
||||||
|
- */ |
||||||
|
- |
||||||
|
- if (sk_X509_NAME_find(ca_list, name) < 0) { |
||||||
|
- /* this will be freed when ca_list is */ |
||||||
|
- sk_X509_NAME_push(ca_list, name); |
||||||
|
- } |
||||||
|
- else { |
||||||
|
- /* need to free this ourselves, else it will leak */ |
||||||
|
- X509_NAME_free(name); |
||||||
|
- } |
||||||
|
- } |
||||||
|
- |
||||||
|
- sk_X509_NAME_free(sk); |
||||||
|
-} |
||||||
|
|
||||||
|
static apr_status_t ssl_init_ca_cert_path(server_rec *s, |
||||||
|
apr_pool_t *ptemp, |
||||||
|
@@ -2324,7 +2279,7 @@ static apr_status_t ssl_init_ca_cert_path(server_rec *s, |
||||||
|
} |
||||||
|
file = apr_pstrcat(ptemp, path, "/", direntry.name, NULL); |
||||||
|
if (ca_list) { |
||||||
|
- ssl_init_PushCAList(ca_list, s, ptemp, file); |
||||||
|
+ SSL_add_file_cert_subjects_to_stack(ca_list, file); |
||||||
|
} |
||||||
|
if (xi_list) { |
||||||
|
load_x509_info(ptemp, xi_list, file); |
||||||
|
@@ -2341,19 +2296,13 @@ STACK_OF(X509_NAME) *ssl_init_FindCAList(server_rec *s, |
||||||
|
const char *ca_file, |
||||||
|
const char *ca_path) |
||||||
|
{ |
||||||
|
- STACK_OF(X509_NAME) *ca_list; |
||||||
|
- |
||||||
|
- /* |
||||||
|
- * Start with a empty stack/list where new |
||||||
|
- * entries get added in sorted order. |
||||||
|
- */ |
||||||
|
- ca_list = sk_X509_NAME_new(ssl_init_FindCAList_X509NameCmp); |
||||||
|
+ STACK_OF(X509_NAME) *ca_list = sk_X509_NAME_new_null();; |
||||||
|
|
||||||
|
/* |
||||||
|
* Process CA certificate bundle file |
||||||
|
*/ |
||||||
|
if (ca_file) { |
||||||
|
- ssl_init_PushCAList(ca_list, s, ptemp, ca_file); |
||||||
|
+ SSL_add_file_cert_subjects_to_stack(ca_list, ca_file); |
||||||
|
/* |
||||||
|
* If ca_list is still empty after trying to load ca_file |
||||||
|
* then the file failed to load, and users should hear about that. |
||||||
|
@@ -2377,11 +2326,6 @@ STACK_OF(X509_NAME) *ssl_init_FindCAList(server_rec *s, |
||||||
|
return NULL; |
||||||
|
} |
||||||
|
|
||||||
|
- /* |
||||||
|
- * Cleanup |
||||||
|
- */ |
||||||
|
- (void) sk_X509_NAME_set_cmp_func(ca_list, NULL); |
||||||
|
- |
||||||
|
return ca_list; |
||||||
|
} |
||||||
|
|
@ -0,0 +1,39 @@ |
|||||||
|
# ./pullrev.sh 1884505 1915625 |
||||||
|
http://svn.apache.org/viewvc?view=revision&revision=1884505 |
||||||
|
http://svn.apache.org/viewvc?view=revision&revision=1915625 |
||||||
|
|
||||||
|
--- httpd-2.4.57/modules/filters/mod_xml2enc.c |
||||||
|
+++ httpd-2.4.57/modules/filters/mod_xml2enc.c |
||||||
|
@@ -329,7 +329,7 @@ |
||||||
|
apr_bucket* bstart; |
||||||
|
apr_size_t insz = 0; |
||||||
|
int pending_meta = 0; |
||||||
|
- char *ctype; |
||||||
|
+ char *mtype; |
||||||
|
char *p; |
||||||
|
|
||||||
|
if (!ctx || !f->r->content_type) { |
||||||
|
@@ -338,13 +338,17 @@ |
||||||
|
return ap_pass_brigade(f->next, bb) ; |
||||||
|
} |
||||||
|
|
||||||
|
- ctype = apr_pstrdup(f->r->pool, f->r->content_type); |
||||||
|
- for (p = ctype; *p; ++p) |
||||||
|
- if (isupper(*p)) |
||||||
|
- *p = tolower(*p); |
||||||
|
+ /* Extract the media type, ignoring parameters in content-type. */ |
||||||
|
+ mtype = apr_pstrdup(f->r->pool, f->r->content_type); |
||||||
|
+ if ((p = ap_strchr(mtype, ';')) != NULL) *p = '\0'; |
||||||
|
+ ap_str_tolower(mtype); |
||||||
|
|
||||||
|
- /* only act if starts-with "text/" or contains "xml" */ |
||||||
|
- if (strncmp(ctype, "text/", 5) && !strstr(ctype, "xml")) { |
||||||
|
+ /* Accept text/ types, plus any XML media type per RFC 7303. */ |
||||||
|
+ if (!(strncmp(mtype, "text/", 5) == 0 |
||||||
|
+ || strcmp(mtype, "application/xml") == 0 |
||||||
|
+ || (strlen(mtype) > 7 /* minimum 'a/b+xml' length */ |
||||||
|
+ && (p = strstr(mtype, "+xml")) != NULL |
||||||
|
+ && strlen(p) == 4 /* ensures +xml is a suffix */))) { |
||||||
|
ap_remove_output_filter(f); |
||||||
|
return ap_pass_brigade(f->next, bb) ; |
||||||
|
} |
@ -0,0 +1,91 @@ |
|||||||
|
# ./pullrev.sh 1912081 |
||||||
|
http://svn.apache.org/viewvc?view=revision&revision=1912081 |
||||||
|
|
||||||
|
Upstream-Status: merged in 2.4.58 |
||||||
|
|
||||||
|
--- httpd-2.4.57/modules/dav/main/mod_dav.c |
||||||
|
+++ httpd-2.4.57/modules/dav/main/mod_dav.c |
||||||
|
@@ -81,6 +81,7 @@ |
||||||
|
const char *provider_name; |
||||||
|
const dav_provider *provider; |
||||||
|
const char *dir; |
||||||
|
+ const char *base; |
||||||
|
int locktimeout; |
||||||
|
int allow_depthinfinity; |
||||||
|
int allow_lockdiscovery; |
||||||
|
@@ -196,6 +197,7 @@ |
||||||
|
|
||||||
|
newconf->locktimeout = DAV_INHERIT_VALUE(parent, child, locktimeout); |
||||||
|
newconf->dir = DAV_INHERIT_VALUE(parent, child, dir); |
||||||
|
+ newconf->base = DAV_INHERIT_VALUE(parent, child, base); |
||||||
|
newconf->allow_depthinfinity = DAV_INHERIT_VALUE(parent, child, |
||||||
|
allow_depthinfinity); |
||||||
|
newconf->allow_lockdiscovery = DAV_INHERIT_VALUE(parent, child, |
||||||
|
@@ -283,6 +285,18 @@ |
||||||
|
} |
||||||
|
|
||||||
|
/* |
||||||
|
+ * Command handler for the DAVBasePath directive, which is TAKE1 |
||||||
|
+ */ |
||||||
|
+static const char *dav_cmd_davbasepath(cmd_parms *cmd, void *config, const char *arg1) |
||||||
|
+{ |
||||||
|
+ dav_dir_conf *conf = config; |
||||||
|
+ |
||||||
|
+ conf->base = arg1; |
||||||
|
+ |
||||||
|
+ return NULL; |
||||||
|
+} |
||||||
|
+ |
||||||
|
+/* |
||||||
|
* Command handler for the DAVDepthInfinity directive, which is FLAG. |
||||||
|
*/ |
||||||
|
static const char *dav_cmd_davdepthinfinity(cmd_parms *cmd, void *config, |
||||||
|
@@ -748,7 +762,7 @@ |
||||||
|
int use_checked_in, dav_resource **res_p) |
||||||
|
{ |
||||||
|
dav_dir_conf *conf; |
||||||
|
- const char *label = NULL; |
||||||
|
+ const char *label = NULL, *base; |
||||||
|
dav_error *err; |
||||||
|
|
||||||
|
/* if the request target can be overridden, get any target selector */ |
||||||
|
@@ -765,11 +779,27 @@ |
||||||
|
ap_escape_html(r->pool, r->uri))); |
||||||
|
} |
||||||
|
|
||||||
|
+ /* Take the repos root from DAVBasePath if configured, else the |
||||||
|
+ * path of the enclosing section. */ |
||||||
|
+ base = conf->base ? conf->base : conf->dir; |
||||||
|
+ |
||||||
|
/* resolve the resource */ |
||||||
|
- err = (*conf->provider->repos->get_resource)(r, conf->dir, |
||||||
|
+ err = (*conf->provider->repos->get_resource)(r, base, |
||||||
|
label, use_checked_in, |
||||||
|
res_p); |
||||||
|
if (err != NULL) { |
||||||
|
+ /* In the error path, give a hint that DavBasePath needs to be |
||||||
|
+ * used if the location was configured via a regex match. */ |
||||||
|
+ if (!conf->base) { |
||||||
|
+ core_dir_config *cdc = ap_get_core_module_config(r->per_dir_config); |
||||||
|
+ |
||||||
|
+ if (cdc->r) { |
||||||
|
+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL, APLOGNO(10484) |
||||||
|
+ "failed to find repository for location configured " |
||||||
|
+ "via regex match - missing DAVBasePath?"); |
||||||
|
+ } |
||||||
|
+ } |
||||||
|
+ |
||||||
|
err = dav_push_error(r->pool, err->status, 0, |
||||||
|
"Could not fetch resource information.", err); |
||||||
|
return err; |
||||||
|
@@ -5164,6 +5194,10 @@ |
||||||
|
AP_INIT_TAKE1("DAV", dav_cmd_dav, NULL, ACCESS_CONF, |
||||||
|
"specify the DAV provider for a directory or location"), |
||||||
|
|
||||||
|
+ /* per directory/location */ |
||||||
|
+ AP_INIT_TAKE1("DAVBasePath", dav_cmd_davbasepath, NULL, ACCESS_CONF, |
||||||
|
+ "specify the DAV repository base URL"), |
||||||
|
+ |
||||||
|
/* per directory/location, or per server */ |
||||||
|
AP_INIT_TAKE1("DAVMinTimeout", dav_cmd_davmintimeout, NULL, |
||||||
|
ACCESS_CONF|RSRC_CONF, |
@ -0,0 +1,381 @@ |
|||||||
|
# ./pullrev.sh 1912477 1912571 1912718 1913654 1914438 |
||||||
|
http://svn.apache.org/viewvc?view=revision&revision=1912477 |
||||||
|
http://svn.apache.org/viewvc?view=revision&revision=1912571 |
||||||
|
http://svn.apache.org/viewvc?view=revision&revision=1912718 |
||||||
|
http://svn.apache.org/viewvc?view=revision&revision=1913654 |
||||||
|
http://svn.apache.org/viewvc?view=revision&revision=1914438 |
||||||
|
|
||||||
|
--- httpd-2.4.58/modules/dav/fs/config6.m4.r1912477+ |
||||||
|
+++ httpd-2.4.58/modules/dav/fs/config6.m4 |
||||||
|
@@ -20,4 +20,10 @@ |
||||||
|
|
||||||
|
APACHE_MODULE(dav_fs, DAV provider for the filesystem. --enable-dav also enables mod_dav_fs., $dav_fs_objects, , $dav_fs_enable,,dav) |
||||||
|
|
||||||
|
+if test "x$enable_dav_fs" = "xshared"; then |
||||||
|
+ # The only symbol which needs to be exported is the module |
||||||
|
+ # structure, so ask libtool to hide everything else: |
||||||
|
+ APR_ADDTO(MOD_DAV_FS_LDADD, [-export-symbols-regex dav_fs_module]) |
||||||
|
+fi |
||||||
|
+ |
||||||
|
APACHE_MODPATH_FINISH |
||||||
|
--- httpd-2.4.58/modules/dav/fs/dbm.c.r1912477+ |
||||||
|
+++ httpd-2.4.58/modules/dav/fs/dbm.c |
||||||
|
@@ -47,6 +47,10 @@ |
||||||
|
#include "http_log.h" |
||||||
|
#include "http_main.h" /* for ap_server_conf */ |
||||||
|
|
||||||
|
+#ifndef DEFAULT_PROPDB_DBM_TYPE |
||||||
|
+#define DEFAULT_PROPDB_DBM_TYPE "default" |
||||||
|
+#endif |
||||||
|
+ |
||||||
|
APLOG_USE_MODULE(dav_fs); |
||||||
|
|
||||||
|
struct dav_db { |
||||||
|
@@ -100,7 +104,7 @@ |
||||||
|
/* There might not be a <db> if we had problems creating it. */ |
||||||
|
if (db == NULL) { |
||||||
|
errcode = 1; |
||||||
|
- errstr = "Could not open property database."; |
||||||
|
+ errstr = "Could not open database."; |
||||||
|
if (APR_STATUS_IS_EDSOOPEN(status)) |
||||||
|
ap_log_error(APLOG_MARK, APLOG_CRIT, status, ap_server_conf, APLOGNO(00576) |
||||||
|
"The DBM driver could not be loaded"); |
||||||
|
@@ -129,10 +133,10 @@ |
||||||
|
/* dav_dbm_open_direct: Opens a *dbm database specified by path. |
||||||
|
* ro = boolean read-only flag. |
||||||
|
*/ |
||||||
|
-dav_error * dav_dbm_open_direct(apr_pool_t *p, const char *pathname, int ro, |
||||||
|
- dav_db **pdb) |
||||||
|
+dav_error * dav_dbm_open_direct(apr_pool_t *p, const char *pathname, |
||||||
|
+ const char *dbmtype, int ro, dav_db **pdb) |
||||||
|
{ |
||||||
|
-#if APU_MAJOR_VERSION > 1 || (APU_MAJOR_VERSION == 1 && APU_MINOR_VERSION >= 7) |
||||||
|
+#if APR_MAJOR_VERSION > 1 || (APU_MAJOR_VERSION == 1 && APU_MINOR_VERSION >= 7) |
||||||
|
const apr_dbm_driver_t *driver; |
||||||
|
const apu_err_t *err; |
||||||
|
#endif |
||||||
|
@@ -141,13 +145,13 @@ |
||||||
|
|
||||||
|
*pdb = NULL; |
||||||
|
|
||||||
|
-#if APU_MAJOR_VERSION > 1 || (APU_MAJOR_VERSION == 1 && APU_MINOR_VERSION >= 7) |
||||||
|
- if ((status = apr_dbm_get_driver(&driver, NULL, &err, p)) != APR_SUCCESS) { |
||||||
|
+#if APR_MAJOR_VERSION > 1 || (APU_MAJOR_VERSION == 1 && APU_MINOR_VERSION >= 7) |
||||||
|
+ if ((status = apr_dbm_get_driver(&driver, dbmtype, &err, p)) != APR_SUCCESS) { |
||||||
|
ap_log_error(APLOG_MARK, APLOG_ERR, status, ap_server_conf, APLOGNO(10289) |
||||||
|
- "mod_dav_fs: The DBM library '%s' could not be loaded: %s", |
||||||
|
- err->reason, err->msg); |
||||||
|
+ "mod_dav_fs: The DBM library '%s' for '%s' could not be loaded: %s", |
||||||
|
+ err->reason, dbmtype, err->msg); |
||||||
|
return dav_new_error(p, HTTP_INTERNAL_SERVER_ERROR, 1, status, |
||||||
|
- "Could not load library for property database."); |
||||||
|
+ "Could not load library for database."); |
||||||
|
} |
||||||
|
if ((status = apr_dbm_open2(&file, driver, pathname, |
||||||
|
ro ? APR_DBM_READONLY : APR_DBM_RWCREATE, |
||||||
|
@@ -156,7 +160,7 @@ |
||||||
|
return dav_fs_dbm_error(NULL, p, status); |
||||||
|
} |
||||||
|
#else |
||||||
|
- if ((status = apr_dbm_open(&file, pathname, |
||||||
|
+ if ((status = apr_dbm_open_ex(&file, dbmtype, pathname, |
||||||
|
ro ? APR_DBM_READONLY : APR_DBM_RWCREATE, |
||||||
|
APR_OS_DEFAULT, p)) |
||||||
|
!= APR_SUCCESS |
||||||
|
@@ -206,7 +210,7 @@ |
||||||
|
|
||||||
|
/* ### do we need to deal with the umask? */ |
||||||
|
|
||||||
|
- return dav_dbm_open_direct(p, pathname, ro, pdb); |
||||||
|
+ return dav_dbm_open_direct(p, pathname, DEFAULT_PROPDB_DBM_TYPE, ro, pdb); |
||||||
|
} |
||||||
|
|
||||||
|
void dav_dbm_close(dav_db *db) |
||||||
|
--- httpd-2.4.58/modules/dav/fs/lock.c.r1912477+ |
||||||
|
+++ httpd-2.4.58/modules/dav/fs/lock.c |
||||||
|
@@ -181,8 +181,7 @@ |
||||||
|
{ |
||||||
|
request_rec *r; /* for accessing the uuid state */ |
||||||
|
apr_pool_t *pool; /* a pool to use */ |
||||||
|
- const char *lockdb_path; /* where is the lock database? */ |
||||||
|
- |
||||||
|
+ const dav_fs_server_conf *conf; /* lock database config & metadata */ |
||||||
|
int opened; /* we opened the database */ |
||||||
|
dav_db *db; /* if non-NULL, the lock database */ |
||||||
|
}; |
||||||
|
@@ -292,6 +291,19 @@ |
||||||
|
return dav_compare_locktoken(lt1, lt2); |
||||||
|
} |
||||||
|
|
||||||
|
+static apr_status_t dav_fs_lockdb_cleanup(void *data) |
||||||
|
+{ |
||||||
|
+ dav_lockdb *lockdb = data; |
||||||
|
+ |
||||||
|
+ apr_global_mutex_unlock(lockdb->info->conf->lockdb_mutex); |
||||||
|
+ |
||||||
|
+ if (lockdb->info->db) { |
||||||
|
+ dav_dbm_close(lockdb->info->db); |
||||||
|
+ } |
||||||
|
+ |
||||||
|
+ return APR_SUCCESS; |
||||||
|
+} |
||||||
|
+ |
||||||
|
/* |
||||||
|
** dav_fs_really_open_lockdb: |
||||||
|
** |
||||||
|
@@ -300,15 +312,27 @@ |
||||||
|
static dav_error * dav_fs_really_open_lockdb(dav_lockdb *lockdb) |
||||||
|
{ |
||||||
|
dav_error *err; |
||||||
|
+ apr_status_t rv; |
||||||
|
|
||||||
|
if (lockdb->info->opened) |
||||||
|
return NULL; |
||||||
|
|
||||||
|
+ rv = apr_global_mutex_lock(lockdb->info->conf->lockdb_mutex); |
||||||
|
+ if (rv) { |
||||||
|
+ return dav_new_error(lockdb->info->pool, |
||||||
|
+ HTTP_INTERNAL_SERVER_ERROR, |
||||||
|
+ DAV_ERR_LOCK_OPENDB, rv, |
||||||
|
+ "Could not lock mutex for lock database."); |
||||||
|
+ } |
||||||
|
+ |
||||||
|
err = dav_dbm_open_direct(lockdb->info->pool, |
||||||
|
- lockdb->info->lockdb_path, |
||||||
|
+ lockdb->info->conf->lockdb_path, |
||||||
|
+ lockdb->info->conf->lockdb_type, |
||||||
|
lockdb->ro, |
||||||
|
&lockdb->info->db); |
||||||
|
if (err != NULL) { |
||||||
|
+ apr_global_mutex_unlock(lockdb->info->conf->lockdb_mutex); |
||||||
|
+ |
||||||
|
return dav_push_error(lockdb->info->pool, |
||||||
|
HTTP_INTERNAL_SERVER_ERROR, |
||||||
|
DAV_ERR_LOCK_OPENDB, |
||||||
|
@@ -316,6 +340,10 @@ |
||||||
|
err); |
||||||
|
} |
||||||
|
|
||||||
|
+ apr_pool_cleanup_register(lockdb->info->pool, lockdb, |
||||||
|
+ dav_fs_lockdb_cleanup, |
||||||
|
+ dav_fs_lockdb_cleanup); |
||||||
|
+ |
||||||
|
/* all right. it is opened now. */ |
||||||
|
lockdb->info->opened = 1; |
||||||
|
|
||||||
|
@@ -341,9 +369,9 @@ |
||||||
|
comb->pub.info = &comb->priv; |
||||||
|
comb->priv.r = r; |
||||||
|
comb->priv.pool = r->pool; |
||||||
|
- |
||||||
|
- comb->priv.lockdb_path = dav_get_lockdb_path(r); |
||||||
|
- if (comb->priv.lockdb_path == NULL) { |
||||||
|
+ comb->priv.conf = dav_fs_get_server_conf(r); |
||||||
|
+ |
||||||
|
+ if (comb->priv.conf == NULL || comb->priv.conf->lockdb_path == NULL) { |
||||||
|
return dav_new_error(r->pool, HTTP_INTERNAL_SERVER_ERROR, |
||||||
|
DAV_ERR_LOCK_NO_DB, 0, |
||||||
|
"A lock database was not specified with the " |
||||||
|
@@ -369,8 +397,8 @@ |
||||||
|
*/ |
||||||
|
static void dav_fs_close_lockdb(dav_lockdb *lockdb) |
||||||
|
{ |
||||||
|
- if (lockdb->info->db != NULL) |
||||||
|
- dav_dbm_close(lockdb->info->db); |
||||||
|
+ apr_pool_cleanup_run(lockdb->info->pool, lockdb, |
||||||
|
+ dav_fs_lockdb_cleanup); |
||||||
|
} |
||||||
|
|
||||||
|
/* |
||||||
|
--- httpd-2.4.58/modules/dav/fs/mod_dav_fs.c.r1912477+ |
||||||
|
+++ httpd-2.4.58/modules/dav/fs/mod_dav_fs.c |
||||||
|
@@ -14,31 +14,35 @@ |
||||||
|
* limitations under the License. |
||||||
|
*/ |
||||||
|
|
||||||
|
+#if !defined(_MSC_VER) && !defined(NETWARE) |
||||||
|
+#include "ap_config_auto.h" |
||||||
|
+#endif |
||||||
|
+ |
||||||
|
#include "httpd.h" |
||||||
|
#include "http_config.h" |
||||||
|
+#include "http_core.h" |
||||||
|
+#include "http_log.h" |
||||||
|
#include "apr_strings.h" |
||||||
|
|
||||||
|
#include "mod_dav.h" |
||||||
|
#include "repos.h" |
||||||
|
|
||||||
|
-/* per-server configuration */ |
||||||
|
-typedef struct { |
||||||
|
- const char *lockdb_path; |
||||||
|
- |
||||||
|
-} dav_fs_server_conf; |
||||||
|
- |
||||||
|
extern module AP_MODULE_DECLARE_DATA dav_fs_module; |
||||||
|
|
||||||
|
#ifndef DEFAULT_DAV_LOCKDB |
||||||
|
#define DEFAULT_DAV_LOCKDB "davlockdb" |
||||||
|
#endif |
||||||
|
+#ifndef DEFAULT_DAV_LOCKDB_TYPE |
||||||
|
+#define DEFAULT_DAV_LOCKDB_TYPE "default" |
||||||
|
+#endif |
||||||
|
|
||||||
|
-const char *dav_get_lockdb_path(const request_rec *r) |
||||||
|
-{ |
||||||
|
- dav_fs_server_conf *conf; |
||||||
|
+static const char dav_fs_mutexid[] = "dav_fs-lockdb"; |
||||||
|
|
||||||
|
- conf = ap_get_module_config(r->server->module_config, &dav_fs_module); |
||||||
|
- return conf->lockdb_path; |
||||||
|
+static apr_global_mutex_t *dav_fs_lockdb_mutex; |
||||||
|
+ |
||||||
|
+const dav_fs_server_conf *dav_fs_get_server_conf(const request_rec *r) |
||||||
|
+{ |
||||||
|
+ return ap_get_module_config(r->server->module_config, &dav_fs_module); |
||||||
|
} |
||||||
|
|
||||||
|
static void *dav_fs_create_server_config(apr_pool_t *p, server_rec *s) |
||||||
|
@@ -57,15 +61,50 @@ |
||||||
|
|
||||||
|
newconf->lockdb_path = |
||||||
|
child->lockdb_path ? child->lockdb_path : parent->lockdb_path; |
||||||
|
+ newconf->lockdb_type = |
||||||
|
+ child->lockdb_type ? child->lockdb_type : parent->lockdb_type; |
||||||
|
|
||||||
|
return newconf; |
||||||
|
} |
||||||
|
|
||||||
|
+static int dav_fs_pre_config(apr_pool_t *pconf, apr_pool_t *plog, apr_pool_t *ptemp) |
||||||
|
+{ |
||||||
|
+ if (ap_mutex_register(pconf, dav_fs_mutexid, NULL, APR_LOCK_DEFAULT, 0)) |
||||||
|
+ return !OK; |
||||||
|
+ return OK; |
||||||
|
+} |
||||||
|
+ |
||||||
|
+static void dav_fs_child_init(apr_pool_t *p, server_rec *s) |
||||||
|
+{ |
||||||
|
+ apr_status_t rv; |
||||||
|
+ |
||||||
|
+ rv = apr_global_mutex_child_init(&dav_fs_lockdb_mutex, |
||||||
|
+ apr_global_mutex_lockfile(dav_fs_lockdb_mutex), |
||||||
|
+ p); |
||||||
|
+ if (rv) { |
||||||
|
+ ap_log_error(APLOG_MARK, APLOG_ERR, rv, s, |
||||||
|
+ APLOGNO(10488) "child init failed for mutex"); |
||||||
|
+ } |
||||||
|
+} |
||||||
|
+ |
||||||
|
static apr_status_t dav_fs_post_config(apr_pool_t *p, apr_pool_t *plog, |
||||||
|
apr_pool_t *ptemp, server_rec *base_server) |
||||||
|
{ |
||||||
|
server_rec *s; |
||||||
|
+ apr_status_t rv; |
||||||
|
|
||||||
|
+ /* Ignore first pass through the config. */ |
||||||
|
+ if (ap_state_query(AP_SQ_MAIN_STATE) == AP_SQ_MS_CREATE_PRE_CONFIG) |
||||||
|
+ return OK; |
||||||
|
+ |
||||||
|
+ rv = ap_global_mutex_create(&dav_fs_lockdb_mutex, NULL, dav_fs_mutexid, NULL, |
||||||
|
+ base_server, p, 0); |
||||||
|
+ if (rv) { |
||||||
|
+ ap_log_error(APLOG_MARK, APLOG_ERR, rv, base_server, |
||||||
|
+ APLOGNO(10489) "could not create lock mutex"); |
||||||
|
+ return !OK; |
||||||
|
+ } |
||||||
|
+ |
||||||
|
for (s = base_server; s; s = s->next) { |
||||||
|
dav_fs_server_conf *conf; |
||||||
|
|
||||||
|
@@ -74,6 +113,13 @@ |
||||||
|
if (!conf->lockdb_path) { |
||||||
|
conf->lockdb_path = ap_state_dir_relative(p, DEFAULT_DAV_LOCKDB); |
||||||
|
} |
||||||
|
+ if (!conf->lockdb_type) { |
||||||
|
+ conf->lockdb_type = DEFAULT_DAV_LOCKDB_TYPE; |
||||||
|
+ } |
||||||
|
+ |
||||||
|
+ /* Mutex is common across all vhosts, but could have one per |
||||||
|
+ * vhost if required. */ |
||||||
|
+ conf->lockdb_mutex = dav_fs_lockdb_mutex; |
||||||
|
} |
||||||
|
|
||||||
|
return OK; |
||||||
|
@@ -98,19 +144,36 @@ |
||||||
|
return NULL; |
||||||
|
} |
||||||
|
|
||||||
|
+/* |
||||||
|
+ * Command handler for the DAVLockDBType directive, which is TAKE1 |
||||||
|
+ */ |
||||||
|
+static const char *dav_fs_cmd_davlockdbtype(cmd_parms *cmd, void *config, |
||||||
|
+ const char *arg1) |
||||||
|
+{ |
||||||
|
+ dav_fs_server_conf *conf = ap_get_module_config(cmd->server->module_config, |
||||||
|
+ &dav_fs_module); |
||||||
|
+ conf->lockdb_type = arg1; |
||||||
|
+ |
||||||
|
+ return NULL; |
||||||
|
+} |
||||||
|
+ |
||||||
|
static const command_rec dav_fs_cmds[] = |
||||||
|
{ |
||||||
|
/* per server */ |
||||||
|
AP_INIT_TAKE1("DAVLockDB", dav_fs_cmd_davlockdb, NULL, RSRC_CONF, |
||||||
|
"specify a lock database"), |
||||||
|
+ AP_INIT_TAKE1("DAVLockDBType", dav_fs_cmd_davlockdbtype, NULL, RSRC_CONF, |
||||||
|
+ "specify a lock database DBM type"), |
||||||
|
|
||||||
|
{ NULL } |
||||||
|
}; |
||||||
|
|
||||||
|
static void register_hooks(apr_pool_t *p) |
||||||
|
{ |
||||||
|
+ ap_hook_pre_config(dav_fs_pre_config, NULL, NULL, APR_HOOK_MIDDLE); |
||||||
|
ap_hook_post_config(dav_fs_post_config, NULL, NULL, APR_HOOK_MIDDLE); |
||||||
|
- |
||||||
|
+ ap_hook_child_init(dav_fs_child_init, NULL, NULL, APR_HOOK_MIDDLE); |
||||||
|
+ |
||||||
|
dav_hook_gather_propsets(dav_fs_gather_propsets, NULL, NULL, |
||||||
|
APR_HOOK_MIDDLE); |
||||||
|
dav_hook_find_liveprop(dav_fs_find_liveprop, NULL, NULL, APR_HOOK_MIDDLE); |
||||||
|
--- httpd-2.4.58/modules/dav/fs/repos.h.r1912477+ |
||||||
|
+++ httpd-2.4.58/modules/dav/fs/repos.h |
||||||
|
@@ -25,6 +25,8 @@ |
||||||
|
#ifndef _DAV_FS_REPOS_H_ |
||||||
|
#define _DAV_FS_REPOS_H_ |
||||||
|
|
||||||
|
+#include "util_mutex.h" |
||||||
|
+ |
||||||
|
/* the subdirectory to hold all DAV-related information for a directory */ |
||||||
|
#define DAV_FS_STATE_DIR ".DAV" |
||||||
|
#define DAV_FS_STATE_FILE_FOR_DIR ".state_for_dir" |
||||||
|
@@ -53,8 +55,8 @@ |
||||||
|
/* DBM functions used by the repository and locking providers */ |
||||||
|
extern const dav_hooks_db dav_hooks_db_dbm; |
||||||
|
|
||||||
|
-dav_error * dav_dbm_open_direct(apr_pool_t *p, const char *pathname, int ro, |
||||||
|
- dav_db **pdb); |
||||||
|
+dav_error * dav_dbm_open_direct(apr_pool_t *p, const char *pathname, |
||||||
|
+ const char *dbmtype, int ro, dav_db **pdb); |
||||||
|
void dav_dbm_get_statefiles(apr_pool_t *p, const char *fname, |
||||||
|
const char **state1, const char **state2); |
||||||
|
dav_error * dav_dbm_delete(dav_db *db, apr_datum_t key); |
||||||
|
@@ -64,8 +66,15 @@ |
||||||
|
int dav_dbm_exists(dav_db *db, apr_datum_t key); |
||||||
|
void dav_dbm_close(dav_db *db); |
||||||
|
|
||||||
|
-/* where is the lock database located? */ |
||||||
|
-const char *dav_get_lockdb_path(const request_rec *r); |
||||||
|
+/* Per-server configuration. */ |
||||||
|
+typedef struct { |
||||||
|
+ const char *lockdb_path; |
||||||
|
+ const char *lockdb_type; |
||||||
|
+ apr_global_mutex_t *lockdb_mutex; |
||||||
|
+} dav_fs_server_conf; |
||||||
|
+ |
||||||
|
+/* Returns server configuration for the request. */ |
||||||
|
+const dav_fs_server_conf *dav_fs_get_server_conf(const request_rec *r); |
||||||
|
|
||||||
|
const dav_hooks_locks *dav_fs_get_lock_hooks(request_rec *r); |
||||||
|
const dav_hooks_propdb *dav_fs_get_propdb_hooks(request_rec *r); |
@ -0,0 +1,60 @@ |
|||||||
|
diff --git a/configure.in b/configure.in |
||||||
|
index 1e342bb..a3c994b 100644 |
||||||
|
--- a/configure.in |
||||||
|
+++ b/configure.in |
||||||
|
@@ -530,6 +530,11 @@ getloadavg |
||||||
|
dnl confirm that a void pointer is large enough to store a long integer |
||||||
|
APACHE_CHECK_VOID_PTR_LEN |
||||||
|
|
||||||
|
+AC_CHECK_LIB(selinux, is_selinux_enabled, [ |
||||||
|
+ AC_DEFINE(HAVE_SELINUX, 1, [Defined if SELinux is supported]) |
||||||
|
+ APR_ADDTO(HTTPD_LIBS, [-lselinux]) |
||||||
|
+]) |
||||||
|
+ |
||||||
|
AC_CACHE_CHECK([for gettid()], ac_cv_gettid, |
||||||
|
[AC_TRY_RUN(#define _GNU_SOURCE |
||||||
|
#include <unistd.h> |
||||||
|
diff --git a/server/core.c b/server/core.c |
||||||
|
index ca33d94..41e9bdc 100644 |
||||||
|
--- a/server/core.c |
||||||
|
+++ b/server/core.c |
||||||
|
@@ -65,6 +65,10 @@ |
||||||
|
#include <unistd.h> |
||||||
|
#endif |
||||||
|
|
||||||
|
+#ifdef HAVE_SELINUX |
||||||
|
+#include <selinux/selinux.h> |
||||||
|
+#endif |
||||||
|
+ |
||||||
|
/* LimitRequestBody handling */ |
||||||
|
#define AP_LIMIT_REQ_BODY_UNSET ((apr_off_t) -1) |
||||||
|
#define AP_DEFAULT_LIMIT_REQ_BODY ((apr_off_t) 1<<30) /* 1GB */ |
||||||
|
@@ -5157,6 +5161,28 @@ static int core_post_config(apr_pool_t *pconf, apr_pool_t *plog, apr_pool_t *pte |
||||||
|
} |
||||||
|
#endif |
||||||
|
|
||||||
|
+#ifdef HAVE_SELINUX |
||||||
|
+ { |
||||||
|
+ static int already_warned = 0; |
||||||
|
+ int is_enabled = is_selinux_enabled() > 0; |
||||||
|
+ |
||||||
|
+ if (is_enabled && !already_warned) { |
||||||
|
+ security_context_t con; |
||||||
|
+ |
||||||
|
+ if (getcon(&con) == 0) { |
||||||
|
+ |
||||||
|
+ ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, NULL, |
||||||
|
+ "SELinux policy enabled; " |
||||||
|
+ "httpd running as context %s", con); |
||||||
|
+ |
||||||
|
+ already_warned = 1; |
||||||
|
+ |
||||||
|
+ freecon(con); |
||||||
|
+ } |
||||||
|
+ } |
||||||
|
+ } |
||||||
|
+#endif |
||||||
|
+ |
||||||
|
return OK; |
||||||
|
} |
||||||
|
|
@ -0,0 +1,13 @@ |
|||||||
|
[Unit] |
||||||
|
Description=One-time temporary TLS key generation for httpd.service |
||||||
|
Documentation=man:httpd-init.service(8) |
||||||
|
|
||||||
|
ConditionPathExists=|!/etc/pki/tls/certs/localhost.crt |
||||||
|
ConditionPathExists=|!/etc/pki/tls/private/localhost.key |
||||||
|
|
||||||
|
[Service] |
||||||
|
Type=oneshot |
||||||
|
RemainAfterExit=no |
||||||
|
PrivateTmp=true |
||||||
|
|
||||||
|
ExecStart=/usr/libexec/httpd-ssl-gencerts |
@ -0,0 +1,40 @@ |
|||||||
|
#!/usr/bin/bash |
||||||
|
|
||||||
|
set -e |
||||||
|
|
||||||
|
FQDN=`hostname` |
||||||
|
ssldotconf=/etc/httpd/conf.d/ssl.conf |
||||||
|
|
||||||
|
if test -f /etc/pki/tls/certs/localhost.crt -a \ |
||||||
|
-f /etc/pki/tls/private/localhost.key; then |
||||||
|
exit 0 |
||||||
|
fi |
||||||
|
|
||||||
|
if test -f /etc/pki/tls/certs/localhost.crt -a \ |
||||||
|
! -f /etc/pki/tls/private/localhost.key; then |
||||||
|
echo "Missing certificate key!" |
||||||
|
exit 1 |
||||||
|
fi |
||||||
|
|
||||||
|
if test ! -f /etc/pki/tls/certs/localhost.crt -a \ |
||||||
|
-f /etc/pki/tls/private/localhost.key; then |
||||||
|
echo "Missing certificate, but key is present!" |
||||||
|
exit 1 |
||||||
|
fi |
||||||
|
|
||||||
|
if ! test -f ${ssldotconf} || \ |
||||||
|
! grep -q '^SSLCertificateFile /etc/pki/tls/certs/localhost.crt' ${ssldotconf} || \ |
||||||
|
! grep -q '^SSLCertificateKeyFile /etc/pki/tls/private/localhost.key' ${ssldotconf}; then |
||||||
|
# Non-default configuration, do nothing. |
||||||
|
exit 0 |
||||||
|
fi |
||||||
|
|
||||||
|
sscg -q \ |
||||||
|
--cert-file /etc/pki/tls/certs/localhost.crt \ |
||||||
|
--cert-key-file /etc/pki/tls/private/localhost.key \ |
||||||
|
--ca-file /etc/pki/tls/certs/localhost.crt \ |
||||||
|
--dhparams-file /tmp/dhparams.pem \ |
||||||
|
--lifetime 365 \ |
||||||
|
--hostname $FQDN \ |
||||||
|
--email root@$FQDN |
||||||
|
|
@ -0,0 +1,3 @@ |
|||||||
|
#!/bin/sh |
||||||
|
|
||||||
|
exec /bin/systemd-ask-password "Enter TLS private key passphrase for $1 ($2) : " |
@ -0,0 +1,358 @@ |
|||||||
|
# |
||||||
|
# This is the main Apache HTTP server configuration file. It contains the |
||||||
|
# configuration directives that give the server its instructions. |
||||||
|
# See <URL:http://httpd.apache.org/docs/2.4/> for detailed information. |
||||||
|
# In particular, see |
||||||
|
# <URL:http://httpd.apache.org/docs/2.4/mod/directives.html> |
||||||
|
# for a discussion of each configuration directive. |
||||||
|
# |
||||||
|
# See the httpd.conf(5) man page for more information on this configuration, |
||||||
|
# and httpd.service(8) on using and configuring the httpd service. |
||||||
|
# |
||||||
|
# Do NOT simply read the instructions in here without understanding |
||||||
|
# what they do. They're here only as hints or reminders. If you are unsure |
||||||
|
# consult the online docs. You have been warned. |
||||||
|
# |
||||||
|
# Configuration and logfile names: If the filenames you specify for many |
||||||
|
# of the server's control files begin with "/" (or "drive:/" for Win32), the |
||||||
|
# server will use that explicit path. If the filenames do *not* begin |
||||||
|
# with "/", the value of ServerRoot is prepended -- so 'log/access_log' |
||||||
|
# with ServerRoot set to '/www' will be interpreted by the |
||||||
|
# server as '/www/log/access_log', where as '/log/access_log' will be |
||||||
|
# interpreted as '/log/access_log'. |
||||||
|
|
||||||
|
# |
||||||
|
# ServerRoot: The top of the directory tree under which the server's |
||||||
|
# configuration, error, and log files are kept. |
||||||
|
# |
||||||
|
# Do not add a slash at the end of the directory path. If you point |
||||||
|
# ServerRoot at a non-local disk, be sure to specify a local disk on the |
||||||
|
# Mutex directive, if file-based mutexes are used. If you wish to share the |
||||||
|
# same ServerRoot for multiple httpd daemons, you will need to change at |
||||||
|
# least PidFile. |
||||||
|
# |
||||||
|
ServerRoot "/etc/httpd" |
||||||
|
|
||||||
|
# |
||||||
|
# Listen: Allows you to bind Apache to specific IP addresses and/or |
||||||
|
# ports, instead of the default. See also the <VirtualHost> |
||||||
|
# directive. |
||||||
|
# |
||||||
|
# Change this to Listen on a specific IP address, but note that if |
||||||
|
# httpd.service is enabled to run at boot time, the address may not be |
||||||
|
# available when the service starts. See the httpd.service(8) man |
||||||
|
# page for more information. |
||||||
|
# |
||||||
|
#Listen 12.34.56.78:80 |
||||||
|
Listen 80 |
||||||
|
|
||||||
|
# |
||||||
|
# Dynamic Shared Object (DSO) Support |
||||||
|
# |
||||||
|
# To be able to use the functionality of a module which was built as a DSO you |
||||||
|
# have to place corresponding `LoadModule' lines at this location so the |
||||||
|
# directives contained in it are actually available _before_ they are used. |
||||||
|
# Statically compiled modules (those listed by `httpd -l') do not need |
||||||
|
# to be loaded here. |
||||||
|
# |
||||||
|
# Example: |
||||||
|
# LoadModule foo_module modules/mod_foo.so |
||||||
|
# |
||||||
|
Include conf.modules.d/*.conf |
||||||
|
|
||||||
|
# |
||||||
|
# If you wish httpd to run as a different user or group, you must run |
||||||
|
# httpd as root initially and it will switch. |
||||||
|
# |
||||||
|
# User/Group: The name (or #number) of the user/group to run httpd as. |
||||||
|
# It is usually good practice to create a dedicated user and group for |
||||||
|
# running httpd, as with most system services. |
||||||
|
# |
||||||
|
User apache |
||||||
|
Group apache |
||||||
|
|
||||||
|
# 'Main' server configuration |
||||||
|
# |
||||||
|
# The directives in this section set up the values used by the 'main' |
||||||
|
# server, which responds to any requests that aren't handled by a |
||||||
|
# <VirtualHost> definition. These values also provide defaults for |
||||||
|
# any <VirtualHost> containers you may define later in the file. |
||||||
|
# |
||||||
|
# All of these directives may appear inside <VirtualHost> containers, |
||||||
|
# in which case these default settings will be overridden for the |
||||||
|
# virtual host being defined. |
||||||
|
# |
||||||
|
|
||||||
|
# |
||||||
|
# ServerAdmin: Your address, where problems with the server should be |
||||||
|
# e-mailed. This address appears on some server-generated pages, such |
||||||
|
# as error documents. e.g. admin@your-domain.com |
||||||
|
# |
||||||
|
ServerAdmin root@localhost |
||||||
|
|
||||||
|
# |
||||||
|
# ServerName gives the name and port that the server uses to identify itself. |
||||||
|
# This can often be determined automatically, but we recommend you specify |
||||||
|
# it explicitly to prevent problems during startup. |
||||||
|
# |
||||||
|
# If your host doesn't have a registered DNS name, enter its IP address here. |
||||||
|
# |
||||||
|
#ServerName www.example.com:80 |
||||||
|
|
||||||
|
# |
||||||
|
# Deny access to the entirety of your server's filesystem. You must |
||||||
|
# explicitly permit access to web content directories in other |
||||||
|
# <Directory> blocks below. |
||||||
|
# |
||||||
|
<Directory /> |
||||||
|
AllowOverride none |
||||||
|
Require all denied |
||||||
|
</Directory> |
||||||
|
|
||||||
|
# |
||||||
|
# Note that from this point forward you must specifically allow |
||||||
|
# particular features to be enabled - so if something's not working as |
||||||
|
# you might expect, make sure that you have specifically enabled it |
||||||
|
# below. |
||||||
|
# |
||||||
|
|
||||||
|
# |
||||||
|
# DocumentRoot: The directory out of which you will serve your |
||||||
|
# documents. By default, all requests are taken from this directory, but |
||||||
|
# symbolic links and aliases may be used to point to other locations. |
||||||
|
# |
||||||
|
DocumentRoot "/var/www/html" |
||||||
|
|
||||||
|
# |
||||||
|
# Relax access to content within /var/www. |
||||||
|
# |
||||||
|
<Directory "/var/www"> |
||||||
|
AllowOverride None |
||||||
|
# Allow open access: |
||||||
|
Require all granted |
||||||
|
</Directory> |
||||||
|
|
||||||
|
# Further relax access to the default document root: |
||||||
|
<Directory "/var/www/html"> |
||||||
|
# |
||||||
|
# Possible values for the Options directive are "None", "All", |
||||||
|
# or any combination of: |
||||||
|
# Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews |
||||||
|
# |
||||||
|
# Note that "MultiViews" must be named *explicitly* --- "Options All" |
||||||
|
# doesn't give it to you. |
||||||
|
# |
||||||
|
# The Options directive is both complicated and important. Please see |
||||||
|
# http://httpd.apache.org/docs/2.4/mod/core.html#options |
||||||
|
# for more information. |
||||||
|
# |
||||||
|
Options Indexes FollowSymLinks |
||||||
|
|
||||||
|
# |
||||||
|
# AllowOverride controls what directives may be placed in .htaccess files. |
||||||
|
# It can be "All", "None", or any combination of the keywords: |
||||||
|
# Options FileInfo AuthConfig Limit |
||||||
|
# |
||||||
|
AllowOverride None |
||||||
|
|
||||||
|
# |
||||||
|
# Controls who can get stuff from this server. |
||||||
|
# |
||||||
|
Require all granted |
||||||
|
</Directory> |
||||||
|
|
||||||
|
# |
||||||
|
# DirectoryIndex: sets the file that Apache will serve if a directory |
||||||
|
# is requested. |
||||||
|
# |
||||||
|
<IfModule dir_module> |
||||||
|
DirectoryIndex index.html |
||||||
|
</IfModule> |
||||||
|
|
||||||
|
# |
||||||
|
# The following lines prevent .htaccess and .htpasswd files from being |
||||||
|
# viewed by Web clients. |
||||||
|
# |
||||||
|
<Files ".ht*"> |
||||||
|
Require all denied |
||||||
|
</Files> |
||||||
|
|
||||||
|
# |
||||||
|
# ErrorLog: The location of the error log file. |
||||||
|
# If you do not specify an ErrorLog directive within a <VirtualHost> |
||||||
|
# container, error messages relating to that virtual host will be |
||||||
|
# logged here. If you *do* define an error logfile for a <VirtualHost> |
||||||
|
# container, that host's errors will be logged there and not here. |
||||||
|
# |
||||||
|
ErrorLog "logs/error_log" |
||||||
|
|
||||||
|
# |
||||||
|
# LogLevel: Control the number of messages logged to the error_log. |
||||||
|
# Possible values include: debug, info, notice, warn, error, crit, |
||||||
|
# alert, emerg. |
||||||
|
# |
||||||
|
LogLevel warn |
||||||
|
|
||||||
|
<IfModule log_config_module> |
||||||
|
# |
||||||
|
# The following directives define some format nicknames for use with |
||||||
|
# a CustomLog directive (see below). |
||||||
|
# |
||||||
|
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined |
||||||
|
LogFormat "%h %l %u %t \"%r\" %>s %b" common |
||||||
|
|
||||||
|
<IfModule logio_module> |
||||||
|
# You need to enable mod_logio.c to use %I and %O |
||||||
|
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio |
||||||
|
</IfModule> |
||||||
|
|
||||||
|
# |
||||||
|
# The location and format of the access logfile (Common Logfile Format). |
||||||
|
# If you do not define any access logfiles within a <VirtualHost> |
||||||
|
# container, they will be logged here. Contrariwise, if you *do* |
||||||
|
# define per-<VirtualHost> access logfiles, transactions will be |
||||||
|
# logged therein and *not* in this file. |
||||||
|
# |
||||||
|
#CustomLog "logs/access_log" common |
||||||
|
|
||||||
|
# |
||||||
|
# If you prefer a logfile with access, agent, and referer information |
||||||
|
# (Combined Logfile Format) you can use the following directive. |
||||||
|
# |
||||||
|
CustomLog "logs/access_log" combined |
||||||
|
</IfModule> |
||||||
|
|
||||||
|
<IfModule alias_module> |
||||||
|
# |
||||||
|
# Redirect: Allows you to tell clients about documents that used to |
||||||
|
# exist in your server's namespace, but do not anymore. The client |
||||||
|
# will make a new request for the document at its new location. |
||||||
|
# Example: |
||||||
|
# Redirect permanent /foo http://www.example.com/bar |
||||||
|
|
||||||
|
# |
||||||
|
# Alias: Maps web paths into filesystem paths and is used to |
||||||
|
# access content that does not live under the DocumentRoot. |
||||||
|
# Example: |
||||||
|
# Alias /webpath /full/filesystem/path |
||||||
|
# |
||||||
|
# If you include a trailing / on /webpath then the server will |
||||||
|
# require it to be present in the URL. You will also likely |
||||||
|
# need to provide a <Directory> section to allow access to |
||||||
|
# the filesystem path. |
||||||
|
|
||||||
|
# |
||||||
|
# ScriptAlias: This controls which directories contain server scripts. |
||||||
|
# ScriptAliases are essentially the same as Aliases, except that |
||||||
|
# documents in the target directory are treated as applications and |
||||||
|
# run by the server when requested rather than as documents sent to the |
||||||
|
# client. The same rules about trailing "/" apply to ScriptAlias |
||||||
|
# directives as to Alias. |
||||||
|
# |
||||||
|
ScriptAlias /cgi-bin/ "/var/www/cgi-bin/" |
||||||
|
|
||||||
|
</IfModule> |
||||||
|
|
||||||
|
# |
||||||
|
# "/var/www/cgi-bin" should be changed to whatever your ScriptAliased |
||||||
|
# CGI directory exists, if you have that configured. |
||||||
|
# |
||||||
|
<Directory "/var/www/cgi-bin"> |
||||||
|
AllowOverride None |
||||||
|
Options None |
||||||
|
Require all granted |
||||||
|
</Directory> |
||||||
|
|
||||||
|
<IfModule mime_module> |
||||||
|
# |
||||||
|
# TypesConfig points to the file containing the list of mappings from |
||||||
|
# filename extension to MIME-type. |
||||||
|
# |
||||||
|
TypesConfig /etc/mime.types |
||||||
|
|
||||||
|
# |
||||||
|
# AddType allows you to add to or override the MIME configuration |
||||||
|
# file specified in TypesConfig for specific file types. |
||||||
|
# |
||||||
|
#AddType application/x-gzip .tgz |
||||||
|
# |
||||||
|
# AddEncoding allows you to have certain browsers uncompress |
||||||
|
# information on the fly. Note: Not all browsers support this. |
||||||
|
# |
||||||
|
#AddEncoding x-compress .Z |
||||||
|
#AddEncoding x-gzip .gz .tgz |
||||||
|
# |
||||||
|
# If the AddEncoding directives above are commented-out, then you |
||||||
|
# probably should define those extensions to indicate media types: |
||||||
|
# |
||||||
|
AddType application/x-compress .Z |
||||||
|
AddType application/x-gzip .gz .tgz |
||||||
|
|
||||||
|
# |
||||||
|
# AddHandler allows you to map certain file extensions to "handlers": |
||||||
|
# actions unrelated to filetype. These can be either built into the server |
||||||
|
# or added with the Action directive (see below) |
||||||
|
# |
||||||
|
# To use CGI scripts outside of ScriptAliased directories: |
||||||
|
# (You will also need to add "ExecCGI" to the "Options" directive.) |
||||||
|
# |
||||||
|
#AddHandler cgi-script .cgi |
||||||
|
|
||||||
|
# For type maps (negotiated resources): |
||||||
|
#AddHandler type-map var |
||||||
|
|
||||||
|
# |
||||||
|
# Filters allow you to process content before it is sent to the client. |
||||||
|
# |
||||||
|
# To parse .shtml files for server-side includes (SSI): |
||||||
|
# (You will also need to add "Includes" to the "Options" directive.) |
||||||
|
# |
||||||
|
AddType text/html .shtml |
||||||
|
AddOutputFilter INCLUDES .shtml |
||||||
|
</IfModule> |
||||||
|
|
||||||
|
# |
||||||
|
# Specify a default charset for all content served; this enables |
||||||
|
# interpretation of all content as UTF-8 by default. To use the |
||||||
|
# default browser choice (ISO-8859-1), or to allow the META tags |
||||||
|
# in HTML content to override this choice, comment out this |
||||||
|
# directive: |
||||||
|
# |
||||||
|
AddDefaultCharset UTF-8 |
||||||
|
|
||||||
|
<IfModule mime_magic_module> |
||||||
|
# |
||||||
|
# The mod_mime_magic module allows the server to use various hints from the |
||||||
|
# contents of the file itself to determine its type. The MIMEMagicFile |
||||||
|
# directive tells the module where the hint definitions are located. |
||||||
|
# |
||||||
|
MIMEMagicFile conf/magic |
||||||
|
</IfModule> |
||||||
|
|
||||||
|
# |
||||||
|
# Customizable error responses come in three flavors: |
||||||
|
# 1) plain text 2) local redirects 3) external redirects |
||||||
|
# |
||||||
|
# Some examples: |
||||||
|
#ErrorDocument 500 "The server made a boo boo." |
||||||
|
#ErrorDocument 404 /missing.html |
||||||
|
#ErrorDocument 404 "/cgi-bin/missing_handler.pl" |
||||||
|
#ErrorDocument 402 http://www.example.com/subscription_info.html |
||||||
|
# |
||||||
|
|
||||||
|
# |
||||||
|
# EnableMMAP and EnableSendfile: On systems that support it, |
||||||
|
# memory-mapping or the sendfile syscall may be used to deliver |
||||||
|
# files. This usually improves server performance, but must |
||||||
|
# be turned off when serving from networked-mounted |
||||||
|
# filesystems or if support for these functions is otherwise |
||||||
|
# broken on your system. |
||||||
|
# Defaults if commented: EnableMMAP On, EnableSendfile Off |
||||||
|
# |
||||||
|
#EnableMMAP off |
||||||
|
EnableSendfile on |
||||||
|
|
||||||
|
# Supplemental configuration |
||||||
|
# |
||||||
|
# Load config files in the "/etc/httpd/conf.d" directory, if any. |
||||||
|
IncludeOptional conf.d/*.conf |
@ -0,0 +1,259 @@ |
|||||||
|
<?xml version='1.0' encoding='utf-8'?> |
||||||
|
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN" |
||||||
|
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [ |
||||||
|
|
||||||
|
]> |
||||||
|
<!-- |
||||||
|
Copyright 2018 Red Hat, Inc. |
||||||
|
|
||||||
|
Licensed to the Apache Software Foundation (ASF) under one or more |
||||||
|
contributor license agreements. See the NOTICE file distributed with |
||||||
|
this work for additional information regarding copyright ownership. |
||||||
|
The ASF licenses this file to You under the Apache License, Version 2.0 |
||||||
|
(the "License"); you may not use this file except in compliance with |
||||||
|
the License. You may obtain a copy of the License at |
||||||
|
|
||||||
|
http://www.apache.org/licenses/LICENSE-2.0 |
||||||
|
|
||||||
|
Unless required by applicable law or agreed to in writing, software |
||||||
|
distributed under the License is distributed on an "AS IS" BASIS, |
||||||
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
||||||
|
See the License for the specific language governing permissions and |
||||||
|
limitations under the License. |
||||||
|
--> |
||||||
|
|
||||||
|
<refentry> |
||||||
|
<refentryinfo> |
||||||
|
<title>httpd.conf</title> |
||||||
|
<productname>httpd</productname> |
||||||
|
<author><contrib>Author</contrib><surname>Orton</surname><firstname>Joe</firstname><email>jorton@redhat.com</email></author> |
||||||
|
</refentryinfo> |
||||||
|
|
||||||
|
<refmeta> |
||||||
|
<refentrytitle>httpd.conf</refentrytitle> |
||||||
|
<manvolnum>5</manvolnum> |
||||||
|
</refmeta> |
||||||
|
|
||||||
|
<refnamediv> |
||||||
|
<refname>httpd.conf</refname> |
||||||
|
<refpurpose>Configuration files for httpd</refpurpose> |
||||||
|
</refnamediv> |
||||||
|
|
||||||
|
<refsynopsisdiv> |
||||||
|
<para> |
||||||
|
<filename>/etc/httpd/conf/httpd.conf</filename>, |
||||||
|
<filename>/etc/httpd/conf.modules.d</filename>, |
||||||
|
<filename>/etc/httpd/conf.d</filename> |
||||||
|
</para> |
||||||
|
</refsynopsisdiv> |
||||||
|
|
||||||
|
<refsect1> |
||||||
|
<title>Description</title> |
||||||
|
|
||||||
|
<para>The main configuration file for the <command>httpd</command> daemon is |
||||||
|
<filename>/etc/httpd/conf/httpd.conf</filename>. The syntax of |
||||||
|
this file is described at <ulink |
||||||
|
url="https://httpd.apache.org/docs/2.4/configuring.html"/>, and |
||||||
|
the full set of available directives is listed at <ulink |
||||||
|
url="https://httpd.apache.org/docs/2.4/mod/directives.html"/>. |
||||||
|
</para> |
||||||
|
|
||||||
|
<refsect2> |
||||||
|
<title>Configuration structure</title> |
||||||
|
|
||||||
|
<para>The main configuration file |
||||||
|
(<filename>httpd.conf</filename>) sets up various defaults and |
||||||
|
includes configuration files from two directories - |
||||||
|
<filename>/etc/httpd/conf.modules.d</filename> and |
||||||
|
<filename>/etc/httpd/conf.d</filename>. Packages containing |
||||||
|
loadable modules (like <option>mod_ssl.so</option>) place files |
||||||
|
in the <filename>conf.modules.d</filename> directory with the |
||||||
|
appropriate <option>LoadModule</option> directive so that module |
||||||
|
is loaded by default.</para> |
||||||
|
|
||||||
|
<para>Some notable configured defaults are:</para> |
||||||
|
|
||||||
|
<variablelist> |
||||||
|
<varlistentry> |
||||||
|
<term><option>DocumentRoot @DOCROOT@/html</option></term> |
||||||
|
<listitem><para>The default document root from which content |
||||||
|
is served.</para></listitem> |
||||||
|
</varlistentry> |
||||||
|
<varlistentry> |
||||||
|
<term><option>Listen 80</option></term> |
||||||
|
<listitem><para>The daemon listens on TCP port 80.</para></listitem> |
||||||
|
</varlistentry> |
||||||
|
<varlistentry> |
||||||
|
<term><option>ErrorLog "logs/error_log"</option></term> |
||||||
|
<listitem><para>Error messages are logged to |
||||||
|
<filename>@LOGDIR@/error_log</filename>.</para></listitem> |
||||||
|
</varlistentry> |
||||||
|
<varlistentry> |
||||||
|
<term><option>ScriptAlias /cgi-bin/ "@DOCROOT@/cgi-bin/"</option></term> |
||||||
|
<listitem><para>CGI scripts are served via the URL-path <option>/cgi-bin/</option>.</para></listitem> |
||||||
|
</varlistentry> |
||||||
|
|
||||||
|
</variablelist> |
||||||
|
|
||||||
|
<para>To remove any of the default configuration provided in |
||||||
|
separate files covered below, replace that file with an empty |
||||||
|
file rather than removing it from the filesystem, otherwise it |
||||||
|
may be restored to the original when the package which provides |
||||||
|
it is upgraded.</para> |
||||||
|
|
||||||
|
</refsect2> |
||||||
|
|
||||||
|
<refsect2> |
||||||
|
<title>MPM configuration</title> |
||||||
|
|
||||||
|
<para>The configuration file at |
||||||
|
<filename>/etc/httpd/conf.modules.d/00-mpm.conf</filename> is |
||||||
|
used to select the multi-processing module (MPM), which governs |
||||||
|
how <command>httpd</command> divides work between processes |
||||||
|
and/or threads at run-time. Exactly one |
||||||
|
<option>LoadModule</option> directive must be uncommented in |
||||||
|
this file; by default the <option>@MPM@</option> MPM is enabled. |
||||||
|
For more information on MPMs, see <ulink |
||||||
|
url="https://httpd.apache.org/docs/2.4/mpm.html"/>.</para> |
||||||
|
|
||||||
|
<para>If using the <emphasis>prefork</emphasis> MPM, the |
||||||
|
"httpd_graceful_shutdown" SELinux boolean should also be |
||||||
|
enabled, since with this MPM, httpd needs to establish TCP |
||||||
|
connections to local ports to successfully complete a graceful |
||||||
|
restart or shutdown. This boolean can be enabled by running the |
||||||
|
command: <command>semanage boolean -m --on |
||||||
|
httpd_graceful_shutdown</command></para> |
||||||
|
</refsect2> |
||||||
|
|
||||||
|
<refsect2> |
||||||
|
<title>Module configuration files</title> |
||||||
|
|
||||||
|
<para>Module configuration files are provided in the |
||||||
|
<filename>/etc/httpd/conf.modules.d/</filename> directory. |
||||||
|
Filenames in this directory are by convention prefixed with two |
||||||
|
digit numeric prefix to ensure they are processed in the desired |
||||||
|
order. Core modules provided with the <command>httpd</command> |
||||||
|
package are loaded by files with a <option>0x-</option> prefix |
||||||
|
to ensure these load first. Only filenames with a |
||||||
|
<option>.conf</option> suffix in this directory will be |
||||||
|
processed.</para> |
||||||
|
|
||||||
|
<para>Other provided configuration files are listed below. |
||||||
|
|
||||||
|
<variablelist> |
||||||
|
<varlistentry> |
||||||
|
<term><filename>/etc/httpd/conf.modules.d/00-base.conf</filename></term> |
||||||
|
<listitem><para>The set of core modules included with |
||||||
|
<command>httpd</command> which are all loaded by |
||||||
|
default.</para></listitem> |
||||||
|
</varlistentry> |
||||||
|
|
||||||
|
<varlistentry> |
||||||
|
<term><filename>/etc/httpd/conf.modules.d/00-optional.conf</filename></term> |
||||||
|
<listitem><para>The set of non-core modules included with |
||||||
|
<command>httpd</command> which are <emphasis>not</emphasis> |
||||||
|
loaded by default.</para></listitem> |
||||||
|
</varlistentry> |
||||||
|
|
||||||
|
|
||||||
|
<varlistentry> |
||||||
|
<term><filename>/etc/httpd/conf.modules.d/00-systemd.conf</filename></term> |
||||||
|
<listitem><para>This file loads <option>mod_systemd</option> |
||||||
|
which is necessary for the correct operation of the |
||||||
|
<command>httpd.service</command> systemd unit, and should |
||||||
|
not be removed or disabled.</para></listitem> |
||||||
|
</varlistentry> |
||||||
|
</variablelist> |
||||||
|
</para> |
||||||
|
</refsect2> |
||||||
|
|
||||||
|
<refsect2> |
||||||
|
<title>Other configuration files</title> |
||||||
|
|
||||||
|
<para>Default module configuration files and site-specific |
||||||
|
configuration files are loaded from the |
||||||
|
<filename>/etc/httpd/conf.d/</filename> directory. Only files |
||||||
|
with a <option>.conf</option> suffix will be loaded. The |
||||||
|
following files are provided: |
||||||
|
|
||||||
|
<variablelist> |
||||||
|
<varlistentry> |
||||||
|
<term><filename>/etc/httpd/conf.d/userdir.conf</filename></term> |
||||||
|
<listitem><para>This file gives an example configuration for |
||||||
|
<option>mod_userdir</option> to map URLs such as |
||||||
|
<option>http://localhost/~jim/</option> to |
||||||
|
<filename>/home/jim/public_html/</filename>. Userdir mapping |
||||||
|
is disabled by default.</para></listitem> |
||||||
|
</varlistentry> |
||||||
|
|
||||||
|
<varlistentry> |
||||||
|
<term><filename>/etc/httpd/conf.d/autoindex.conf</filename></term> |
||||||
|
<listitem><para>This file provides the default configuration |
||||||
|
for <option>mod_autoindex</option> which generates HTML |
||||||
|
directory listings when enabled. It also makes file icon |
||||||
|
image files available at the <option>/icons/</option> |
||||||
|
URL-path.</para></listitem> |
||||||
|
</varlistentry> |
||||||
|
|
||||||
|
<varlistentry> |
||||||
|
<term><filename>/etc/httpd/conf.d/welcome.conf</filename></term> |
||||||
|
<listitem><para>This file enables a "welcome page" at |
||||||
|
<option>http://localhost/</option> if no content is present |
||||||
|
in the default documentation root |
||||||
|
<filename>/var/www/html</filename>.</para></listitem> |
||||||
|
</varlistentry> |
||||||
|
|
||||||
|
<varlistentry> |
||||||
|
<term><filename>/etc/httpd/conf.d/ssl.conf</filename> (present only if <option>mod_ssl</option> is installed)</term> |
||||||
|
<listitem><para>This file configures a TLS |
||||||
|
<option>VirtualHost</option> listening on port |
||||||
|
<option>443</option>. If the default configuration is used, |
||||||
|
the referenced test certificate and private key are |
||||||
|
generated the first time <command>httpd.service</command> is |
||||||
|
started; see |
||||||
|
<citerefentry><refentrytitle>httpd-init.service</refentrytitle><manvolnum>8</manvolnum></citerefentry> |
||||||
|
for more information.</para></listitem> |
||||||
|
</varlistentry> |
||||||
|
|
||||||
|
</variablelist></para> |
||||||
|
</refsect2> |
||||||
|
|
||||||
|
<refsect2> |
||||||
|
<title>Instantiated services</title> |
||||||
|
|
||||||
|
<para>As an alternative to (or in addition to) the |
||||||
|
<command>httpd.service</command> unit, the instantiated template |
||||||
|
service <command>httpd@.service</command> unit file can be used, |
||||||
|
which starts <command>httpd</command> using a different |
||||||
|
configuration file to the default. For example, |
||||||
|
<command>systemctl start httpd@foobar.service</command> will |
||||||
|
start httpd using the configuration file |
||||||
|
<filename>/etc/httpd/conf/foobar.conf</filename>. See <citerefentry><refentrytitle>httpd@.service</refentrytitle><manvolnum>8</manvolnum></citerefentry> for more information.</para> |
||||||
|
</refsect2> |
||||||
|
|
||||||
|
</refsect1> |
||||||
|
<refsect1> |
||||||
|
<title>Files</title> |
||||||
|
|
||||||
|
<para> |
||||||
|
<filename>/etc/httpd/conf/httpd.conf</filename>, |
||||||
|
<filename>/etc/httpd/conf.d</filename>, |
||||||
|
<filename>/etc/httpd/conf.modules.d</filename> |
||||||
|
</para> |
||||||
|
</refsect1> |
||||||
|
|
||||||
|
<refsect1> |
||||||
|
<title>See also</title> |
||||||
|
|
||||||
|
<para> |
||||||
|
<citerefentry><refentrytitle>httpd</refentrytitle><manvolnum>8</manvolnum></citerefentry>, |
||||||
|
<citerefentry><refentrytitle>httpd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>, |
||||||
|
<ulink url="https://httpd.apache.org/docs/2.4/configuring.html"/>, |
||||||
|
<ulink url="https://httpd.apache.org/docs/2.4/mod/directives.html"/> |
||||||
|
</para> |
||||||
|
</refsect1> |
||||||
|
|
||||||
|
</refentry> |
||||||
|
|
||||||
|
<!-- LocalWords: systemd PidFile |
||||||
|
--> |
@ -0,0 +1,11 @@ |
|||||||
|
# Note that logs are not compressed unless "compress" is configured, |
||||||
|
# which can be done either here or globally in /etc/logrotate.conf. |
||||||
|
/var/log/httpd/*log { |
||||||
|
missingok |
||||||
|
notifempty |
||||||
|
sharedscripts |
||||||
|
delaycompress |
||||||
|
postrotate |
||||||
|
/bin/systemctl reload httpd.service > /dev/null 2>/dev/null || true |
||||||
|
endscript |
||||||
|
} |
@ -0,0 +1,33 @@ |
|||||||
|
# See httpd.service(8) for more information on using the httpd service. |
||||||
|
|
||||||
|
# Modifying this file in-place is not recommended, because changes |
||||||
|
# will be overwritten during package upgrades. To customize the |
||||||
|
# behaviour, run "systemctl edit httpd" to create an override unit. |
||||||
|
|
||||||
|
# For example, to pass additional options (such as -D definitions) to |
||||||
|
# the httpd binary at startup, create an override unit (as is done by |
||||||
|
# systemctl edit) and enter the following: |
||||||
|
|
||||||
|
# [Service] |
||||||
|
# Environment=OPTIONS=-DMY_DEFINE |
||||||
|
|
||||||
|
[Unit] |
||||||
|
Description=The Apache HTTP Server |
||||||
|
Wants=httpd-init.service |
||||||
|
After=network.target remote-fs.target nss-lookup.target httpd-init.service |
||||||
|
Documentation=man:httpd.service(8) |
||||||
|
|
||||||
|
[Service] |
||||||
|
Type=notify |
||||||
|
Environment=LANG=C |
||||||
|
|
||||||
|
ExecStart=/usr/sbin/httpd $OPTIONS -DFOREGROUND |
||||||
|
ExecReload=/usr/sbin/httpd $OPTIONS -k graceful |
||||||
|
# Send SIGWINCH for graceful stop |
||||||
|
KillSignal=SIGWINCH |
||||||
|
KillMode=mixed |
||||||
|
PrivateTmp=true |
||||||
|
OOMPolicy=continue |
||||||
|
|
||||||
|
[Install] |
||||||
|
WantedBy=multi-user.target |
@ -0,0 +1,374 @@ |
|||||||
|
<?xml version='1.0' encoding='utf-8'?> |
||||||
|
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN" |
||||||
|
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [ |
||||||
|
|
||||||
|
]> |
||||||
|
<!-- |
||||||
|
Copyright 2018 Red Hat, Inc. |
||||||
|
|
||||||
|
Licensed to the Apache Software Foundation (ASF) under one or more |
||||||
|
contributor license agreements. See the NOTICE file distributed with |
||||||
|
this work for additional information regarding copyright ownership. |
||||||
|
The ASF licenses this file to You under the Apache License, Version 2.0 |
||||||
|
(the "License"); you may not use this file except in compliance with |
||||||
|
the License. You may obtain a copy of the License at |
||||||
|
|
||||||
|
http://www.apache.org/licenses/LICENSE-2.0 |
||||||
|
|
||||||
|
Unless required by applicable law or agreed to in writing, software |
||||||
|
distributed under the License is distributed on an "AS IS" BASIS, |
||||||
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
||||||
|
See the License for the specific language governing permissions and |
||||||
|
limitations under the License. |
||||||
|
--> |
||||||
|
|
||||||
|
<refentry> |
||||||
|
<refentryinfo> |
||||||
|
<title>httpd systemd units</title> |
||||||
|
<productname>httpd</productname> |
||||||
|
<author><contrib>Author</contrib><surname>Orton</surname><firstname>Joe</firstname><email>jorton@redhat.com</email></author> |
||||||
|
</refentryinfo> |
||||||
|
|
||||||
|
<refmeta> |
||||||
|
<refentrytitle>httpd.service</refentrytitle> |
||||||
|
<manvolnum>8</manvolnum> |
||||||
|
</refmeta> |
||||||
|
|
||||||
|
<refnamediv> |
||||||
|
<refname>httpd.service</refname> |
||||||
|
<refname>httpd@.service</refname> |
||||||
|
<refname>httpd.socket</refname> |
||||||
|
<refname>httpd-init.service</refname> |
||||||
|
<refpurpose>httpd unit files for systemd</refpurpose> |
||||||
|
</refnamediv> |
||||||
|
|
||||||
|
<refsynopsisdiv> |
||||||
|
<para> |
||||||
|
<filename>/usr/lib/systemd/system/httpd.service</filename>, |
||||||
|
<filename>/usr/lib/systemd/system/httpd@.service</filename>, |
||||||
|
<filename>/usr/lib/systemd/system/httpd-init.service</filename>, |
||||||
|
<filename>/usr/lib/systemd/system/httpd.socket</filename> |
||||||
|
</para> |
||||||
|
</refsynopsisdiv> |
||||||
|
|
||||||
|
<refsect1> |
||||||
|
<title>Description</title> |
||||||
|
|
||||||
|
<para>This manual page describes the <command>systemd</command> |
||||||
|
unit files used to integrate the <command>httpd</command> daemon |
||||||
|
with <command>systemd</command>. Two main unit files are |
||||||
|
available: <command>httpd.service</command> allows the |
||||||
|
<command>httpd</command> daemon to be run as a system service, and |
||||||
|
<command>httpd.socket</command> allows httpd to be started via |
||||||
|
socket-based activation. Most systems will use |
||||||
|
<command>httpd.service</command>.</para> |
||||||
|
|
||||||
|
<para>The <command>apachectl</command> command has been modified |
||||||
|
to invoke <command>systemctl</command> for most uses, so for |
||||||
|
example, running <command>apachectl start</command> is equivalent |
||||||
|
to running <command>systemctl start httpd.service</command>. This |
||||||
|
ensures that the running httpd daemon is tracked and managed by |
||||||
|
<command>systemd</command>. In contrast, running |
||||||
|
<command>httpd</command> directly from a root shell will start the |
||||||
|
service outside of <command>systemd</command>; in this case, |
||||||
|
default security restrictions described below (including, but not |
||||||
|
limited to, SELinux) will not be enforced.</para> |
||||||
|
|
||||||
|
<refsect2> |
||||||
|
<title>Changing default behaviour</title> |
||||||
|
|
||||||
|
<para>To change the default behaviour of the httpd service, an |
||||||
|
<emphasis>over-ride</emphasis> file should be created, rather |
||||||
|
than changing |
||||||
|
<filename>/usr/lib/systemd/system/httpd.service</filename> |
||||||
|
directly, since such changes would be lost over package |
||||||
|
upgrades. Running <command>systemctl edit |
||||||
|
httpd.service</command> or <command>systemctl edit |
||||||
|
httpd.socket</command> as root will create a drop-in file (in |
||||||
|
the former case, in |
||||||
|
<filename>/etc/systemd/system/httpd.service.d</filename>) which |
||||||
|
over-rides the system defaults.</para> |
||||||
|
|
||||||
|
<para>For example, to set the <option>LD_LIBRARY_PATH</option> |
||||||
|
environment variable for the daemon, run <command>systemctl edit |
||||||
|
httpd.service</command> and enter: |
||||||
|
|
||||||
|
<programlisting>[Service] |
||||||
|
Environment=LD_LIBRARY_PATH=/opt/vendor/lib</programlisting></para> |
||||||
|
</refsect2> |
||||||
|
|
||||||
|
<refsect2> |
||||||
|
<title>Starting the service at boot time</title> |
||||||
|
|
||||||
|
<para>The httpd.service and httpd.socket units are |
||||||
|
<emphasis>disabled</emphasis> by default. To start the httpd |
||||||
|
service at boot time, run: <command>systemctl enable |
||||||
|
httpd.service</command>. In the default configuration, the |
||||||
|
httpd daemon will accept connections on port 80 (and, if mod_ssl |
||||||
|
is installed, TLS connections on port 443) for any configured |
||||||
|
IPv4 or IPv6 address.</para> |
||||||
|
|
||||||
|
<para>If httpd is configured to depend on any specific IP |
||||||
|
address (for example, with a "Listen" directive) which may only |
||||||
|
become available during start-up, or if httpd depends on other |
||||||
|
services (such as a database daemon), the service |
||||||
|
<emphasis>must</emphasis> be configured to ensure correct |
||||||
|
start-up ordering.</para> |
||||||
|
|
||||||
|
<para>For example, to ensure httpd is only running after all |
||||||
|
configured network interfaces are configured, create a drop-in |
||||||
|
file (as described above) with the following section: |
||||||
|
|
||||||
|
<programlisting>[Unit] |
||||||
|
After=network-online.target |
||||||
|
Wants=network-online.target</programlisting> |
||||||
|
|
||||||
|
See <ulink |
||||||
|
url="https://www.freedesktop.org/wiki/Software/systemd/NetworkTarget/"/> |
||||||
|
for more information on start-up ordering with systemd.</para> |
||||||
|
|
||||||
|
</refsect2> |
||||||
|
|
||||||
|
<refsect2> |
||||||
|
<title>SSL/TLS certificate generation</title> |
||||||
|
|
||||||
|
<para>The <command>httpd-init.service</command> unit is provided |
||||||
|
with the mod_ssl package. This oneshot unit automatically |
||||||
|
creates a TLS server certificate and key (using a generated |
||||||
|
self-signed CA certificate and key) for testing purposes before |
||||||
|
httpd is started. To inhibit certificate generation, use |
||||||
|
<command>systemctl mask httpd-init.service</command> after |
||||||
|
installing mod_ssl, and adjust the mod_ssl configuration to use |
||||||
|
an appropriate certificate and key.</para> |
||||||
|
|
||||||
|
</refsect2> |
||||||
|
|
||||||
|
<refsect2> |
||||||
|
<title>Reloading and stopping the service</title> |
||||||
|
|
||||||
|
<para>When running <command>systemctl reload |
||||||
|
httpd.service</command>, a <emphasis>graceful</emphasis> |
||||||
|
restart is used, which sends a signal to the httpd parent |
||||||
|
process to reload the configuration and re-open log files. Any |
||||||
|
children with open connections at the time of reload will |
||||||
|
terminate only once they have completed serving requests. This |
||||||
|
prevents users of the server seeing errors (or potentially |
||||||
|
losing data) due to the reload, but means some there is some |
||||||
|
delay before any configuration changes take effect for all |
||||||
|
users.</para> |
||||||
|
|
||||||
|
<para>Similarly, a <emphasis>graceful stop</emphasis> is used |
||||||
|
when <command>systemctl stop httpd.service</command> is run, |
||||||
|
which terminates the server only once active connections have |
||||||
|
been processed.</para> |
||||||
|
|
||||||
|
<para>To "ungracefully" stop the server without waiting for |
||||||
|
requests to complete, use <command>systemctl kill |
||||||
|
--kill-who=main httpd</command>; similarly to "ungracefully" |
||||||
|
reload the configuration, use <command>systemctl kill |
||||||
|
--kill-who=main --signal=HUP httpd</command>.</para> |
||||||
|
</refsect2> |
||||||
|
|
||||||
|
<refsect2> |
||||||
|
<title>Automated service restarts</title> |
||||||
|
|
||||||
|
<para>System packages (including the httpd package itself) may |
||||||
|
restart the httpd service automatically after packages are |
||||||
|
upgraded, installed, or removed. This is done using the |
||||||
|
<command>systemctl try-restart httpd.service</command>, which |
||||||
|
stops then starts the service if it is running.</para> |
||||||
|
|
||||||
|
<para>To disable automatic restarts, create the file |
||||||
|
<filename>/etc/sysconfig/httpd-disable-posttrans</filename>. |
||||||
|
When <command>httpd</command> interfaces are added in an update, |
||||||
|
it may not be safe to <emphasis>reload</emphasis> a running |
||||||
|
service after upgrading, if updated modules require interfaces |
||||||
|
only available in the updated httpd. It is recommended to allow |
||||||
|
automatic restarts for this reason.</para> |
||||||
|
</refsect2> |
||||||
|
|
||||||
|
<refsect2> |
||||||
|
<title>Changing the default MPM (Multi-Processing Module)</title> |
||||||
|
|
||||||
|
<para>httpd offers a choice of multi-processing modules (MPMs), |
||||||
|
which can be configured in |
||||||
|
<filename>/etc/httpd/conf.modules.d/00-mpm.conf</filename>. |
||||||
|
See |
||||||
|
<citerefentry><refentrytitle>httpd.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry> |
||||||
|
for more information on changing the MPM.</para> |
||||||
|
</refsect2> |
||||||
|
|
||||||
|
<refsect2> |
||||||
|
<title>systemd integration and mod_systemd</title> |
||||||
|
|
||||||
|
<para>The httpd service uses the <option>notify</option> systemd |
||||||
|
service type. The <literal>mod_systemd</literal> module must be |
||||||
|
loaded (as in the default configuration) for this to work |
||||||
|
correctly - the service will fail if this module is not |
||||||
|
loaded. <literal>mod_systemd</literal> also makes worker and |
||||||
|
request statistics available when running <command>systemctl status |
||||||
|
httpd</command>. See |
||||||
|
<citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry> |
||||||
|
for more information on systemd service types.</para> |
||||||
|
</refsect2> |
||||||
|
|
||||||
|
<refsect2> |
||||||
|
<title>Security and SELinux</title> |
||||||
|
|
||||||
|
<para>The default SELinux policy restricts the httpd service in |
||||||
|
various ways. For example, the default policy limits the ports |
||||||
|
to which httpd can bind (using the <literal>Listen</literal> |
||||||
|
directive), which parts of the filesystem can be accessed, and |
||||||
|
whether outgoing TCP connections are possible. Many of these |
||||||
|
restrictions can be relaxed or adjusted by using |
||||||
|
<command>semanage</command> to change booleans or other |
||||||
|
types. See |
||||||
|
<citerefentry><refentrytitle>httpd_selinux</refentrytitle><manvolnum>8</manvolnum></citerefentry> |
||||||
|
for more information.</para> |
||||||
|
</refsect2> |
||||||
|
|
||||||
|
<refsect2> |
||||||
|
<title>Process policies and restrictions</title> |
||||||
|
|
||||||
|
<para>The httpd service uses the following options: |
||||||
|
|
||||||
|
<itemizedlist> |
||||||
|
<listitem><para><emphasis>PrivateTmp</emphasis> is enabled by |
||||||
|
default. The <filename>/tmp</filename> and |
||||||
|
<filename>/var/tmp</filename> directories available within the |
||||||
|
httpd process (and CGI scripts, etc) are not shared by other |
||||||
|
processes.</para></listitem> |
||||||
|
|
||||||
|
<listitem><para><emphasis>OOMPolicy</emphasis> is set to |
||||||
|
<emphasis>continue</emphasis> by default. Under the default |
||||||
|
Out-of-Memory policy, the entire service will be terminated if |
||||||
|
any process is killed by the kernel OOM killer. By setting |
||||||
|
the policy to <emphasis>continue</emphasis>, httpd will |
||||||
|
continue to run (and recover) if a single child is terminated |
||||||
|
because of excess memory consumption.</para></listitem> |
||||||
|
</itemizedlist> |
||||||
|
|
||||||
|
See |
||||||
|
<citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry> |
||||||
|
and |
||||||
|
<citerefentry><refentrytitle>systemd.service</refentrytitle><manvolnum>5</manvolnum></citerefentry> |
||||||
|
for more information.</para> |
||||||
|
</refsect2> |
||||||
|
|
||||||
|
<refsect2> |
||||||
|
<title>Logging and log file rotation</title> |
||||||
|
|
||||||
|
<para>The <command>httpd</command> daemon is configured to log |
||||||
|
to the <filename>/var/log/httpd</filename> directory by default, |
||||||
|
and a drop-in for <command>logrotate</command> is provided at |
||||||
|
<filename>/etc/logrotate.d/httpd</filename> to enable log file |
||||||
|
rotation. The <command>httpd.service</command> systemd unit is |
||||||
|
reloaded after a <command>logrotate</command> run.</para> |
||||||
|
|
||||||
|
<para>Log file compression is not enabled by default; since |
||||||
|
<command>httpd</command> can continue writing to open log files |
||||||
|
for some time after a reload (graceful restart), if compression |
||||||
|
is enabled the <literal>delaycompress</literal> option must be |
||||||
|
present (as in the default) to delay compression of log files to |
||||||
|
a later rotation run.</para> |
||||||
|
</refsect2> |
||||||
|
|
||||||
|
<refsect2> |
||||||
|
<title>Socket activation</title> |
||||||
|
|
||||||
|
<para>Socket activation (see |
||||||
|
<citerefentry><refentrytitle>systemd.socket</refentrytitle><manvolnum>5</manvolnum></citerefentry> |
||||||
|
for more information) can be used with <command>httpd</command> |
||||||
|
by enabling the <command>httpd.socket</command> unit. The |
||||||
|
<command>httpd</command> listener configuration must exactly |
||||||
|
match the <literal>ListenStream</literal> options configured for |
||||||
|
the <command>httpd.socket</command> unit. The default |
||||||
|
<command>httpd.socket</command> has a |
||||||
|
<literal>ListenStream=80</literal> and, if mod_ssl is installed, |
||||||
|
<literal>ListenStream=443</literal> by a drop-in file. If |
||||||
|
additional <literal>Listen</literal> directives are added to the |
||||||
|
httpd configuration, corresponding |
||||||
|
<literal>ListenStream</literal> options should be added via |
||||||
|
drop-in files, for example via <command>systemctl edit |
||||||
|
httpd.socket</command>.</para> |
||||||
|
|
||||||
|
<para>If using socket activation with httpd, only one listener |
||||||
|
on any given TCP port is supported; a configuration with both |
||||||
|
"<literal>Listen 127.0.0.1:80</literal>" and "<literal>Listen |
||||||
|
192.168.1.2:80</literal>" will not work.</para> |
||||||
|
</refsect2> |
||||||
|
|
||||||
|
<refsect2> |
||||||
|
<title>Instantiated services</title> |
||||||
|
|
||||||
|
<para>The <command>httpd@.service</command> unit is a template |
||||||
|
for creating instantiated services. An instance of this unit |
||||||
|
will be started using the configuration file |
||||||
|
<filename>/etc/httpd/conf/INSTANCE.conf</filename>, where |
||||||
|
<emphasis>INSTANCE</emphasis> is replaced with the instance |
||||||
|
name. For example, <command>systemctl start |
||||||
|
httpd@foobar.service</command> will start httpd using the |
||||||
|
configuration file |
||||||
|
<filename>/etc/httpd/conf/foobar.conf</filename>. The |
||||||
|
<option>HTTPD_INSTANCE</option> environment variable is set to |
||||||
|
the instance name by the unit and is available for use within |
||||||
|
the configuration file.</para> |
||||||
|
|
||||||
|
<para>To allow multiple instances of httpd to run |
||||||
|
simultaneously, a number of configuration directives must be |
||||||
|
changed, such as <command>PidFile</command> and |
||||||
|
<command>DefaultRuntimeDir</command> to pick non-conflicting |
||||||
|
paths, and <command>Listen</command> to choose different ports. |
||||||
|
The example configuration file |
||||||
|
<filename>/usr/share/doc/httpd/instance.conf</filename> |
||||||
|
demonstrates how to make such changes using the |
||||||
|
<option>HTTPD_INSTANCE</option> variable.</para> |
||||||
|
|
||||||
|
<para>It can be useful to configure instances of |
||||||
|
<command>httpd@.service</command> to reload when |
||||||
|
<command>httpd.service</command> is reloaded; for example, |
||||||
|
<command>logrotate</command> will reload only |
||||||
|
<command>httpd.service</command> when logs are rotated. If this |
||||||
|
behaviour is required, create a drop-in file for the instance as |
||||||
|
follows: |
||||||
|
|
||||||
|
<programlisting>[Unit] |
||||||
|
ReloadPropagatedFrom=httpd.service</programlisting> |
||||||
|
|
||||||
|
As with normal units, drop-in files for instances can be created |
||||||
|
using <command>systemctl edit</command>, e.g. <command>systemctl edit |
||||||
|
httpd@foobar.service</command>.</para> |
||||||
|
</refsect2> |
||||||
|
|
||||||
|
</refsect1> |
||||||
|
|
||||||
|
<refsect1> |
||||||
|
<title>Files</title> |
||||||
|
|
||||||
|
<para><filename>/usr/lib/systemd/system/httpd.service</filename>, |
||||||
|
<filename>/usr/lib/systemd/system/httpd.socket</filename>, |
||||||
|
<filename>/usr/lib/systemd/system/httpd@.service</filename>, |
||||||
|
<filename>/etc/systemd/systemd/httpd.service.d</filename></para> |
||||||
|
</refsect1> |
||||||
|
|
||||||
|
<refsect1> |
||||||
|
<title>See also</title> |
||||||
|
|
||||||
|
<para> |
||||||
|
<citerefentry><refentrytitle>httpd</refentrytitle><manvolnum>8</manvolnum></citerefentry>, |
||||||
|
<citerefentry><refentrytitle>httpd.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>, |
||||||
|
<citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>, |
||||||
|
<citerefentry><refentrytitle>systemctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>, |
||||||
|
<citerefentry><refentrytitle>systemd.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>, |
||||||
|
<citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>, |
||||||
|
<citerefentry><refentrytitle>systemd.socket</refentrytitle><manvolnum>5</manvolnum></citerefentry>, |
||||||
|
<citerefentry><refentrytitle>httpd_selinux</refentrytitle><manvolnum>8</manvolnum></citerefentry>, |
||||||
|
<citerefentry><refentrytitle>semanage</refentrytitle><manvolnum>8</manvolnum></citerefentry>, |
||||||
|
<citerefentry><refentrytitle>logrotate</refentrytitle><manvolnum>8</manvolnum></citerefentry> |
||||||
|
</para> |
||||||
|
</refsect1> |
||||||
|
|
||||||
|
</refentry> |
||||||
|
|
||||||
|
<!-- LocalWords: systemd PidFile |
||||||
|
--> |
@ -0,0 +1,13 @@ |
|||||||
|
# See httpd.socket(8) for more information on using the httpd service. |
||||||
|
|
||||||
|
[Unit] |
||||||
|
Description=Apache httpd Server Socket |
||||||
|
Documentation=man:httpd.socket(8) |
||||||
|
|
||||||
|
[Socket] |
||||||
|
ListenStream=80 |
||||||
|
NoDelay=true |
||||||
|
DeferAcceptSec=30 |
||||||
|
|
||||||
|
[Install] |
||||||
|
WantedBy=sockets.target |
@ -0,0 +1,2 @@ |
|||||||
|
d /run/httpd 710 root apache |
||||||
|
d /run/httpd/htcacheclean 700 apache apache |
@ -0,0 +1,26 @@ |
|||||||
|
# This is a template for httpd instances. |
||||||
|
# See httpd@.service(8) for more information. |
||||||
|
|
||||||
|
[Unit] |
||||||
|
Description=The Apache HTTP Server |
||||||
|
After=network.target remote-fs.target nss-lookup.target |
||||||
|
Documentation=man:httpd@.service(8) |
||||||
|
|
||||||
|
[Service] |
||||||
|
Type=notify |
||||||
|
Environment=LANG=C |
||||||
|
Environment=HTTPD_INSTANCE=%i |
||||||
|
ExecStartPre=/bin/mkdir -m 710 -p /run/httpd/instance-%i |
||||||
|
ExecStartPre=/bin/chown root.apache /run/httpd/instance-%i |
||||||
|
ExecStartPre=/bin/mkdir -m 700 -p /var/lib/httpd/instance-%i |
||||||
|
ExecStartPre=/bin/chown apache.apache /var/lib/httpd/instance-%i |
||||||
|
ExecStart=/usr/sbin/httpd $OPTIONS -DFOREGROUND -f conf/%i.conf |
||||||
|
ExecReload=/usr/sbin/httpd $OPTIONS -k graceful -f conf/%i.conf |
||||||
|
# Send SIGWINCH for graceful stop |
||||||
|
KillSignal=SIGWINCH |
||||||
|
KillMode=mixed |
||||||
|
PrivateTmp=true |
||||||
|
OOMPolicy=continue |
||||||
|
|
||||||
|
[Install] |
||||||
|
WantedBy=multi-user.target |
@ -0,0 +1,24 @@ |
|||||||
|
# |
||||||
|
# This is an example instance-specific configuration file. See the |
||||||
|
# httpd@.service(8) man page for detailed information on using the |
||||||
|
# the httpd@.service with instances. |
||||||
|
# |
||||||
|
# To use this example, copy instance.conf to /etc/httpd/conf/foobar.conf |
||||||
|
# This config will then used as the default configuration when |
||||||
|
# running: |
||||||
|
# |
||||||
|
# # systemctl start httpd@foobar.service |
||||||
|
# |
||||||
|
# The changes compared to the default are: |
||||||
|
# - DefaultRuntime, DefaultStateDir and Pidfile renamed to instance-specific |
||||||
|
# - default logfile names are prefixed with the instance name |
||||||
|
# - /etc/httpd/conf.d is NOT included by default (conf.modules.d still is) |
||||||
|
# |
||||||
|
# Further customisations will be required for an instance to run |
||||||
|
# simultaneously to httpd.service under the default configuration, |
||||||
|
# e.g. changing the port used with Listen. |
||||||
|
# |
||||||
|
|
||||||
|
DefaultRuntimeDir /run/httpd/instance-${HTTPD_INSTANCE} |
||||||
|
DefaultStateDir /var/lib/httpd/instance-${HTTPD_INSTANCE} |
||||||
|
PidFile /run/httpd/instance-${HTTPD_INSTANCE}.pid |
@ -0,0 +1,33 @@ |
|||||||
|
--- doc/config/lighttpd.conf~ 2021-12-02 09:34:06.450352761 -0600 |
||||||
|
+++ doc/config/lighttpd.conf 2021-12-02 09:36:04.345770602 -0600 |
||||||
|
@@ -14,8 +14,8 @@ |
||||||
|
## chroot example as well. |
||||||
|
## |
||||||
|
var.log_root = "/var/log/lighttpd" |
||||||
|
-var.server_root = "/srv/www" |
||||||
|
-var.state_dir = "/run" |
||||||
|
+var.server_root = "/var/www" |
||||||
|
+var.state_dir = "/run/lighttpd" |
||||||
|
var.home_dir = "/var/lib/lighttpd" |
||||||
|
var.conf_dir = "/etc/lighttpd" |
||||||
|
|
||||||
|
@@ -436,7 +436,7 @@ |
||||||
|
## # Check your cipher list with: openssl ciphers -v '...' |
||||||
|
## # (use single quotes with: openssl ciphers -v '...' |
||||||
|
## # as your shell won't like ! in double quotes) |
||||||
|
-## #ssl.cipher-list = "HIGH" # default |
||||||
|
+## #ssl.cipher-list = "PROFILE=SYSTEM" |
||||||
|
## |
||||||
|
## # (recommended to accept only TLSv1.2 and TLSv1.3) |
||||||
|
## #ssl.openssl.ssl-conf-cmd = ("MinProtocol" => "TLSv1.2") # default |
||||||
|
--- doc/config/lighttpd.conf~ 2022-07-28 10:49:14.928564535 -0500 |
||||||
|
+++ doc/config/lighttpd.conf 2022-07-28 10:49:47.161444622 -0500 |
||||||
|
@@ -118,7 +118,7 @@ |
||||||
|
## |
||||||
|
## Document root |
||||||
|
## |
||||||
|
-server.document-root = server_root + "/htdocs" |
||||||
|
+server.document-root = server_root + "/lighttpd" |
||||||
|
|
||||||
|
## |
||||||
|
## The value for the "Server:" response field. |
@ -0,0 +1,13 @@ |
|||||||
|
# |
||||||
|
# This configuration file allows the manual to be accessed at |
||||||
|
# http://localhost/manual/ |
||||||
|
# |
||||||
|
Alias /manual /usr/share/httpd/manual |
||||||
|
|
||||||
|
<Directory "/usr/share/httpd/manual"> |
||||||
|
Options Indexes |
||||||
|
AllowOverride None |
||||||
|
Require all granted |
||||||
|
|
||||||
|
RedirectMatch 301 ^/manual/(?:da|de|en|es|fr|ja|ko|pt-br|ru|tr|zh-cn)(/.*)$ "/manual$1" |
||||||
|
</Directory> |
@ -0,0 +1,10 @@ |
|||||||
|
# |
||||||
|
# Lua-based server-status page; requires mod_lua to be loaded |
||||||
|
# as per default configuration. |
||||||
|
# |
||||||
|
LuaMapHandler ^/server-status$ /usr/share/httpd/server-status/server-status.lua |
||||||
|
|
||||||
|
<Directory /usr/share/httpd/server-status> |
||||||
|
AllowOverride None |
||||||
|
Require local |
||||||
|
</Directory> |
@ -0,0 +1,203 @@ |
|||||||
|
# |
||||||
|
# When we also provide SSL we have to listen to the |
||||||
|
# standard HTTPS port in addition. |
||||||
|
# |
||||||
|
Listen 443 https |
||||||
|
|
||||||
|
## |
||||||
|
## SSL Global Context |
||||||
|
## |
||||||
|
## All SSL configuration in this context applies both to |
||||||
|
## the main server and all SSL-enabled virtual hosts. |
||||||
|
## |
||||||
|
|
||||||
|
# Pass Phrase Dialog: |
||||||
|
# Configure the pass phrase gathering process. |
||||||
|
# The filtering dialog program (`builtin' is a internal |
||||||
|
# terminal dialog) has to provide the pass phrase on stdout. |
||||||
|
SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog |
||||||
|
|
||||||
|
# Inter-Process Session Cache: |
||||||
|
# Configure the SSL Session Cache: First the mechanism |
||||||
|
# to use and second the expiring timeout (in seconds). |
||||||
|
SSLSessionCache shmcb:/run/httpd/sslcache(512000) |
||||||
|
SSLSessionCacheTimeout 300 |
||||||
|
|
||||||
|
# |
||||||
|
# Use "SSLCryptoDevice" to enable any supported hardware |
||||||
|
# accelerators. Use "openssl engine -v" to list supported |
||||||
|
# engine names. NOTE: If you enable an accelerator and the |
||||||
|
# server does not start, consult the error logs and ensure |
||||||
|
# your accelerator is functioning properly. |
||||||
|
# |
||||||
|
SSLCryptoDevice builtin |
||||||
|
#SSLCryptoDevice ubsec |
||||||
|
|
||||||
|
## |
||||||
|
## SSL Virtual Host Context |
||||||
|
## |
||||||
|
|
||||||
|
<VirtualHost _default_:443> |
||||||
|
|
||||||
|
# General setup for the virtual host, inherited from global configuration |
||||||
|
#DocumentRoot "/var/www/html" |
||||||
|
#ServerName www.example.com:443 |
||||||
|
|
||||||
|
# Use separate log files for the SSL virtual host; note that LogLevel |
||||||
|
# is not inherited from httpd.conf. |
||||||
|
ErrorLog logs/ssl_error_log |
||||||
|
TransferLog logs/ssl_access_log |
||||||
|
LogLevel warn |
||||||
|
|
||||||
|
# SSL Engine Switch: |
||||||
|
# Enable/Disable SSL for this virtual host. |
||||||
|
SSLEngine on |
||||||
|
|
||||||
|
# List the protocol versions which clients are allowed to connect with. |
||||||
|
# The OpenSSL system profile is used by default. See |
||||||
|
# update-crypto-policies(8) for more details. |
||||||
|
#SSLProtocol all -SSLv3 |
||||||
|
#SSLProxyProtocol all -SSLv3 |
||||||
|
|
||||||
|
# User agents such as web browsers are not configured for the user's |
||||||
|
# own preference of either security or performance, therefore this |
||||||
|
# must be the prerogative of the web server administrator who manages |
||||||
|
# cpu load versus confidentiality, so enforce the server's cipher order. |
||||||
|
SSLHonorCipherOrder on |
||||||
|
|
||||||
|
# SSL Cipher Suite: |
||||||
|
# List the ciphers that the client is permitted to negotiate. |
||||||
|
# See the mod_ssl documentation for a complete list. |
||||||
|
# The OpenSSL system profile is configured by default. See |
||||||
|
# update-crypto-policies(8) for more details. |
||||||
|
SSLCipherSuite PROFILE=SYSTEM |
||||||
|
SSLProxyCipherSuite PROFILE=SYSTEM |
||||||
|
|
||||||
|
# Point SSLCertificateFile at a PEM encoded certificate. If |
||||||
|
# the certificate is encrypted, then you will be prompted for a |
||||||
|
# pass phrase. Note that restarting httpd will prompt again. Keep |
||||||
|
# in mind that if you have both an RSA and a DSA certificate you |
||||||
|
# can configure both in parallel (to also allow the use of DSA |
||||||
|
# ciphers, etc.) |
||||||
|
# Some ECC cipher suites (http://www.ietf.org/rfc/rfc4492.txt) |
||||||
|
# require an ECC certificate which can also be configured in |
||||||
|
# parallel. |
||||||
|
SSLCertificateFile /etc/pki/tls/certs/localhost.crt |
||||||
|
|
||||||
|
# Server Private Key: |
||||||
|
# If the key is not combined with the certificate, use this |
||||||
|
# directive to point at the key file. Keep in mind that if |
||||||
|
# you've both a RSA and a DSA private key you can configure |
||||||
|
# both in parallel (to also allow the use of DSA ciphers, etc.) |
||||||
|
# ECC keys, when in use, can also be configured in parallel |
||||||
|
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key |
||||||
|
|
||||||
|
# Server Certificate Chain: |
||||||
|
# Point SSLCertificateChainFile at a file containing the |
||||||
|
# concatenation of PEM encoded CA certificates which form the |
||||||
|
# certificate chain for the server certificate. Alternatively |
||||||
|
# the referenced file can be the same as SSLCertificateFile |
||||||
|
# when the CA certificates are directly appended to the server |
||||||
|
# certificate for convenience. |
||||||
|
#SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt |
||||||
|
|
||||||
|
# Certificate Authority (CA): |
||||||
|
# Set the CA certificate verification path where to find CA |
||||||
|
# certificates for client authentication or alternatively one |
||||||
|
# huge file containing all of them (file must be PEM encoded) |
||||||
|
#SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt |
||||||
|
|
||||||
|
# Client Authentication (Type): |
||||||
|
# Client certificate verification type and depth. Types are |
||||||
|
# none, optional, require and optional_no_ca. Depth is a |
||||||
|
# number which specifies how deeply to verify the certificate |
||||||
|
# issuer chain before deciding the certificate is not valid. |
||||||
|
#SSLVerifyClient require |
||||||
|
#SSLVerifyDepth 10 |
||||||
|
|
||||||
|
# Access Control: |
||||||
|
# With SSLRequire you can do per-directory access control based |
||||||
|
# on arbitrary complex boolean expressions containing server |
||||||
|
# variable checks and other lookup directives. The syntax is a |
||||||
|
# mixture between C and Perl. See the mod_ssl documentation |
||||||
|
# for more details. |
||||||
|
#<Location /> |
||||||
|
#SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \ |
||||||
|
# and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \ |
||||||
|
# and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \ |
||||||
|
# and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \ |
||||||
|
# and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \ |
||||||
|
# or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/ |
||||||
|
#</Location> |
||||||
|
|
||||||
|
# SSL Engine Options: |
||||||
|
# Set various options for the SSL engine. |
||||||
|
# o FakeBasicAuth: |
||||||
|
# Translate the client X.509 into a Basic Authorisation. This means that |
||||||
|
# the standard Auth/DBMAuth methods can be used for access control. The |
||||||
|
# user name is the `one line' version of the client's X.509 certificate. |
||||||
|
# Note that no password is obtained from the user. Every entry in the user |
||||||
|
# file needs this password: `xxj31ZMTZzkVA'. |
||||||
|
# o ExportCertData: |
||||||
|
# This exports two additional environment variables: SSL_CLIENT_CERT and |
||||||
|
# SSL_SERVER_CERT. These contain the PEM-encoded certificates of the |
||||||
|
# server (always existing) and the client (only existing when client |
||||||
|
# authentication is used). This can be used to import the certificates |
||||||
|
# into CGI scripts. |
||||||
|
# o StdEnvVars: |
||||||
|
# This exports the standard SSL/TLS related `SSL_*' environment variables. |
||||||
|
# Per default this exportation is switched off for performance reasons, |
||||||
|
# because the extraction step is an expensive operation and is usually |
||||||
|
# useless for serving static content. So one usually enables the |
||||||
|
# exportation for CGI and SSI requests only. |
||||||
|
# o StrictRequire: |
||||||
|
# This denies access when "SSLRequireSSL" or "SSLRequire" applied even |
||||||
|
# under a "Satisfy any" situation, i.e. when it applies access is denied |
||||||
|
# and no other module can change it. |
||||||
|
# o OptRenegotiate: |
||||||
|
# This enables optimized SSL connection renegotiation handling when SSL |
||||||
|
# directives are used in per-directory context. |
||||||
|
#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire |
||||||
|
<FilesMatch "\.(cgi|shtml|phtml|php)$"> |
||||||
|
SSLOptions +StdEnvVars |
||||||
|
</FilesMatch> |
||||||
|
<Directory "/var/www/cgi-bin"> |
||||||
|
SSLOptions +StdEnvVars |
||||||
|
</Directory> |
||||||
|
|
||||||
|
# SSL Protocol Adjustments: |
||||||
|
# The safe and default but still SSL/TLS standard compliant shutdown |
||||||
|
# approach is that mod_ssl sends the close notify alert but doesn't wait for |
||||||
|
# the close notify alert from client. When you need a different shutdown |
||||||
|
# approach you can use one of the following variables: |
||||||
|
# o ssl-unclean-shutdown: |
||||||
|
# This forces an unclean shutdown when the connection is closed, i.e. no |
||||||
|
# SSL close notify alert is sent or allowed to be received. This violates |
||||||
|
# the SSL/TLS standard but is needed for some brain-dead browsers. Use |
||||||
|
# this when you receive I/O errors because of the standard approach where |
||||||
|
# mod_ssl sends the close notify alert. |
||||||
|
# o ssl-accurate-shutdown: |
||||||
|
# This forces an accurate shutdown when the connection is closed, i.e. a |
||||||
|
# SSL close notify alert is sent and mod_ssl waits for the close notify |
||||||
|
# alert of the client. This is 100% SSL/TLS standard compliant, but in |
||||||
|
# practice often causes hanging connections with brain-dead browsers. Use |
||||||
|
# this only for browsers where you know that their SSL implementation |
||||||
|
# works correctly. |
||||||
|
# Notice: Most problems of broken clients are also related to the HTTP |
||||||
|
# keep-alive facility, so you usually additionally want to disable |
||||||
|
# keep-alive for those clients, too. Use variable "nokeepalive" for this. |
||||||
|
# Similarly, one has to force some clients to use HTTP/1.0 to workaround |
||||||
|
# their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and |
||||||
|
# "force-response-1.0" for this. |
||||||
|
BrowserMatch "MSIE [2-5]" \ |
||||||
|
nokeepalive ssl-unclean-shutdown \ |
||||||
|
downgrade-1.0 force-response-1.0 |
||||||
|
|
||||||
|
# Per-Server Logging: |
||||||
|
# The home of a custom SSL log file. Use this when you want a |
||||||
|
# compact non-error SSL logfile on a virtual host basis. |
||||||
|
CustomLog logs/ssl_request_log \ |
||||||
|
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" |
||||||
|
|
||||||
|
</VirtualHost> |
||||||
|
|
@ -0,0 +1,36 @@ |
|||||||
|
# |
||||||
|
# UserDir: The name of the directory that is appended onto a user's home |
||||||
|
# directory if a ~user request is received. |
||||||
|
# |
||||||
|
# The path to the end user account 'public_html' directory must be |
||||||
|
# accessible to the webserver userid. This usually means that ~userid |
||||||
|
# must have permissions of 711, ~userid/public_html must have permissions |
||||||
|
# of 755, and documents contained therein must be world-readable. |
||||||
|
# Otherwise, the client will only receive a "403 Forbidden" message. |
||||||
|
# |
||||||
|
<IfModule mod_userdir.c> |
||||||
|
# |
||||||
|
# UserDir is disabled by default since it can confirm the presence |
||||||
|
# of a username on the system (depending on home directory |
||||||
|
# permissions). |
||||||
|
# |
||||||
|
UserDir disabled |
||||||
|
|
||||||
|
# |
||||||
|
# To enable requests to /~user/ to serve the user's public_html |
||||||
|
# directory, remove the "UserDir disabled" line above, and uncomment |
||||||
|
# the following line instead: |
||||||
|
# |
||||||
|
#UserDir public_html |
||||||
|
</IfModule> |
||||||
|
|
||||||
|
# |
||||||
|
# Control access to UserDir directories. The following is an example |
||||||
|
# for a site where these directories are restricted to read-only. |
||||||
|
# |
||||||
|
<Directory "/home/*/public_html"> |
||||||
|
AllowOverride FileInfo AuthConfig Limit Indexes |
||||||
|
Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec |
||||||
|
Require method GET POST OPTIONS |
||||||
|
</Directory> |
||||||
|
|
@ -0,0 +1,20 @@ |
|||||||
|
# |
||||||
|
# This configuration file enables the default "Welcome" page if there |
||||||
|
# is no default index page present for the root URL. To disable the |
||||||
|
# Welcome page, comment out all the lines below. |
||||||
|
# |
||||||
|
# NOTE: if this file is removed, it will be restored on upgrades. |
||||||
|
# |
||||||
|
<LocationMatch "^/+$"> |
||||||
|
Options -Indexes |
||||||
|
ErrorDocument 403 /.noindex.html |
||||||
|
</LocationMatch> |
||||||
|
|
||||||
|
<Directory /usr/share/httpd/noindex> |
||||||
|
AllowOverride None |
||||||
|
Require all granted |
||||||
|
</Directory> |
||||||
|
|
||||||
|
Alias /.noindex.html /usr/share/httpd/noindex/index.html |
||||||
|
Alias /poweredby.png /usr/share/httpd/icons/apache_pb3.png |
||||||
|
Alias /system_noindex_logo.png /usr/share/httpd/icons/system_noindex_logo.png |
Loading…
Reference in new issue