rpms
/
httpd
7
0
Fork 0
Code Issues Pull Requests Releases Activity

new version 2.4.48 

Resolves: #1952817 - rebase to 2.4.48
This commit is contained in:
Luboš Uhliarik 2021-06-02 18:50:42 +02:00
parent 16516bd59b
commit 538ad5ff55
9 changed files with 65 additions and 514 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -38,3 +38,4 @@ x86_64
/httpd-2.4.43.tar.bz2.asc
/KEYS
/httpd-2.4.46.tar.bz2.asc
/httpd-2.4.48.tar.bz2.asc

115
httpd-2.4.43-r1870095+.patch
View File

@ -1,115 +0,0 @@
diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c
index cbab6a3..765aa4b 100644
--- a/modules/ssl/ssl_engine_kernel.c
+++ b/modules/ssl/ssl_engine_kernel.c
@@ -114,6 +114,45 @@ static int has_buffered_data(request_rec *r)
return result;
}
+/* If a renegotiation is required for the location, and the request
+ * includes a message body (and the client has not requested a "100
+ * Continue" response), then the client will be streaming the request
+ * body over the wire already. In that case, it is not possible to
+ * stop and perform a new SSL handshake immediately; once the SSL
+ * library moves to the "accept" state, it will reject the SSL packets
+ * which the client is sending for the request body.
+ *
+ * To allow authentication to complete in the hook, the solution used
+ * here is to fill a (bounded) buffer with the request body, and then
+ * to reinject that request body later.
+ *
+ * This function is called to fill the renegotiation buffer for the
+ * location as required, or fail. Returns zero on success or HTTP_
+ * error code on failure.
+ */
+static int fill_reneg_buffer(request_rec *r, SSLDirConfigRec *dc)
+{
+ int rv;
+ apr_size_t rsize;
+
+ /* ### this is HTTP/1.1 specific, special case for protocol? */
+ if (r->expecting_100 || !ap_request_has_body(r)) {
+ return 0;
+ }
+
+ rsize = dc->nRenegBufferSize == UNSET ? DEFAULT_RENEG_BUFFER_SIZE : dc->nRenegBufferSize;
+ if (rsize > 0) {
+ /* Fill the I/O buffer with the request body if possible. */
+ rv = ssl_io_buffer_fill(r, rsize);
+ }
+ else {
+ /* If the reneg buffer size is set to zero, just fail. */
+ rv = HTTP_REQUEST_ENTITY_TOO_LARGE;
+ }
+
+ return rv;
+}
+
#ifdef HAVE_TLSEXT
static int ap_array_same_str_set(apr_array_header_t *s1, apr_array_header_t *s2)
{
@@ -814,41 +853,14 @@ static int ssl_hook_Access_classic(request_rec *r, SSLSrvConfigRec *sc, SSLDirCo
}
}
- /* If a renegotiation is now required for this location, and the
- * request includes a message body (and the client has not
- * requested a "100 Continue" response), then the client will be
- * streaming the request body over the wire already. In that
- * case, it is not possible to stop and perform a new SSL
- * handshake immediately; once the SSL library moves to the
- * "accept" state, it will reject the SSL packets which the client
- * is sending for the request body.
- *
- * To allow authentication to complete in this auth hook, the
- * solution used here is to fill a (bounded) buffer with the
- * request body, and then to reinject that request body later.
- */
- if (renegotiate && !renegotiate_quick
- && !r->expecting_100
- && ap_request_has_body(r)) {
- int rv;
- apr_size_t rsize;
-
- rsize = dc->nRenegBufferSize == UNSET ? DEFAULT_RENEG_BUFFER_SIZE :
- dc->nRenegBufferSize;
- if (rsize > 0) {
- /* Fill the I/O buffer with the request body if possible. */
- rv = ssl_io_buffer_fill(r, rsize);
- }
- else {
- /* If the reneg buffer size is set to zero, just fail. */
- rv = HTTP_REQUEST_ENTITY_TOO_LARGE;
- }
-
- if (rv) {
+ /* Fill reneg buffer if required. */
+ if (renegotiate && !renegotiate_quick) {
+ rc = fill_reneg_buffer(r, dc);
+ if (rc) {
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02257)
"could not buffer message body to allow "
"SSL renegotiation to proceed");
- return rv;
+ return rc;
}
}
@@ -1132,6 +1144,17 @@ static int ssl_hook_Access_modern(request_rec *r, SSLSrvConfigRec *sc, SSLDirCon
}
}
+ /* Fill reneg buffer if required. */
+ if (change_vmode) {
+ rc = fill_reneg_buffer(r, dc);
+ if (rc) {
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10228)
+ "could not buffer message body to allow "
+ "TLS Post-Handshake Authentication to proceed");
+ return rc;
+ }
+ }
+
if (change_vmode) {
char peekbuf[1];

192
httpd-2.4.43-sslcoalesce.patch
View File

@ -1,192 +0,0 @@
http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_io.c?r1=1836237&r2=1836236&pathrev=1836237&view=patch
http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_io.c?r1=1873985&r2=1876037&view=patch
--- httpd-2.4.43/modules/ssl/ssl_engine_io.c.sslcoalesce
+++ httpd-2.4.43/modules/ssl/ssl_engine_io.c
@@ -1585,18 +1585,32 @@
}
-/* ssl_io_filter_output() produces one SSL/TLS message per bucket
+/* ssl_io_filter_output() produces one SSL/TLS record per bucket
* passed down the output filter stack. This results in a high
- * overhead (network packets) for any output comprising many small
- * buckets. SSI page applied through the HTTP chunk filter, for
- * example, may produce many brigades containing small buckets -
- * [chunk-size CRLF] [chunk-data] [CRLF].
+ * overhead (more network packets & TLS processing) for any output
+ * comprising many small buckets. SSI output passed through the HTTP
+ * chunk filter, for example, may produce many brigades containing
+ * small buckets - [chunk-size CRLF] [chunk-data] [CRLF].
*
- * The coalescing filter merges many small buckets into larger buckets
- * where possible, allowing the SSL I/O output filter to handle them
- * more efficiently. */
+ * Sending HTTP response headers as a separate TLS record to the
+ * response body also reveals information to a network observer (the
+ * size of headers) which can be significant.
+ *
+ * The coalescing filter merges data buckets with the aim of producing
+ * fewer, larger TLS records - without copying/buffering all content
+ * and introducing unnecessary overhead.
+ *
+ * ### This buffering could be probably be done more comprehensively
+ * ### in ssl_io_filter_output itself.
+ *
+ * ### Another possible performance optimisation in particular for the
+ * ### [HEAP] [FILE] HTTP response case is using a brigade rather than
+ * ### a char array to buffer; using apr_brigade_write() to append
+ * ### will use already-allocated memory from the HEAP, reducing # of
+ * ### copies.
+ */
-#define COALESCE_BYTES (2048)
+#define COALESCE_BYTES (AP_IOBUFSIZE)
struct coalesce_ctx {
char buffer[COALESCE_BYTES];
@@ -1609,11 +1623,12 @@
apr_bucket *e, *upto;
apr_size_t bytes = 0;
struct coalesce_ctx *ctx = f->ctx;
+ apr_size_t buffered = ctx ? ctx->bytes : 0; /* space used on entry */
unsigned count = 0;
/* The brigade consists of zero-or-more small data buckets which
- * can be coalesced (the prefix), followed by the remainder of the
- * brigade.
+ * can be coalesced (referred to as the "prefix"), followed by the
+ * remainder of the brigade.
*
* Find the last bucket - if any - of that prefix. count gives
* the number of buckets in the prefix. The "prefix" must contain
@@ -1628,24 +1643,97 @@
e != APR_BRIGADE_SENTINEL(bb)
&& !APR_BUCKET_IS_METADATA(e)
&& e->length != (apr_size_t)-1
- && e->length < COALESCE_BYTES
- && (bytes + e->length) < COALESCE_BYTES
- && (ctx == NULL
- || bytes + ctx->bytes + e->length < COALESCE_BYTES);
+ && e->length <= COALESCE_BYTES
+ && (buffered + bytes + e->length) <= COALESCE_BYTES;
e = APR_BUCKET_NEXT(e)) {
- if (e->length) count++; /* don't count zero-length buckets */
- bytes += e->length;
+ /* don't count zero-length buckets */
+ if (e->length) {
+ bytes += e->length;
+ count++;
+ }
}
+
+ /* If there is room remaining and the next bucket is a data
+ * bucket, try to include it in the prefix to coalesce. For a
+ * typical [HEAP] [FILE] HTTP response brigade, this handles
+ * merging the headers and the start of the body into a single TLS
+ * record. */
+ if (bytes + buffered > 0
+ && bytes + buffered < COALESCE_BYTES
+ && e != APR_BRIGADE_SENTINEL(bb)
+ && !APR_BUCKET_IS_METADATA(e)) {
+ apr_status_t rv = APR_SUCCESS;
+
+ /* For an indeterminate length bucket (PIPE/CGI/...), try a
+ * non-blocking read to have it morph into a HEAP. If the
+ * read fails with EAGAIN, it is harmless to try a split
+ * anyway, split is ENOTIMPL for most PIPE-like buckets. */
+ if (e->length == (apr_size_t)-1) {
+ const char *discard;
+ apr_size_t ignore;
+
+ rv = apr_bucket_read(e, &discard, &ignore, APR_NONBLOCK_READ);
+ if (rv != APR_SUCCESS && !APR_STATUS_IS_EAGAIN(rv)) {
+ ap_log_cerror(APLOG_MARK, APLOG_ERR, rv, f->c, APLOGNO(10232)
+ "coalesce failed to read from %s bucket",
+ e->type->name);
+ return AP_FILTER_ERROR;
+ }
+ }
+
+ if (rv == APR_SUCCESS) {
+ /* If the read above made the bucket morph, it may now fit
+ * entirely within the buffer. Otherwise, split it so it does
+ * fit. */
+ if (e->length > COALESCE_BYTES
+ || e->length + buffered + bytes > COALESCE_BYTES) {
+ rv = apr_bucket_split(e, COALESCE_BYTES - (buffered + bytes));
+ }
+
+ if (rv == APR_SUCCESS && e->length == 0) {
+ /* As above, don't count in the prefix if the bucket is
+ * now zero-length. */
+ }
+ else if (rv == APR_SUCCESS) {
+ ap_log_cerror(APLOG_MARK, APLOG_TRACE4, 0, f->c,
+ "coalesce: adding %" APR_SIZE_T_FMT " bytes "
+ "from split %s bucket, total %" APR_SIZE_T_FMT,
+ e->length, e->type->name, bytes + buffered);
+
+ count++;
+ bytes += e->length;
+ e = APR_BUCKET_NEXT(e);
+ }
+ else if (rv != APR_ENOTIMPL) {
+ ap_log_cerror(APLOG_MARK, APLOG_ERR, rv, f->c, APLOGNO(10233)
+ "coalesce: failed to split data bucket");
+ return AP_FILTER_ERROR;
+ }
+ }
+ }
+
upto = e;
- /* Coalesce the prefix, if:
- * a) more than one bucket is found to coalesce, or
- * b) the brigade contains only a single data bucket, or
- * c) the data bucket is not last but we have buffered data already.
+ /* Coalesce the prefix, if any of the following are true:
+ *
+ * a) the prefix is more than one bucket
+ * OR
+ * b) the prefix is the entire brigade, which is a single bucket
+ * AND the prefix length is smaller than the buffer size,
+ * OR
+ * c) the prefix is a single bucket
+ * AND there is buffered data from a previous pass.
+ *
+ * The aim with (b) is to buffer a small bucket so it can be
+ * coalesced with future invocations of this filter. e.g. three
+ * calls each with a single 100 byte HEAP bucket should get
+ * coalesced together. But an invocation with a 8192 byte HEAP
+ * should pass through untouched.
*/
if (bytes > 0
&& (count > 1
- || (upto == APR_BRIGADE_SENTINEL(bb))
+ || (upto == APR_BRIGADE_SENTINEL(bb)
+ && bytes < COALESCE_BYTES)
|| (ctx && ctx->bytes > 0))) {
/* If coalescing some bytes, ensure a context has been
* created. */
@@ -1656,7 +1744,8 @@
ap_log_cerror(APLOG_MARK, APLOG_TRACE4, 0, f->c,
"coalesce: have %" APR_SIZE_T_FMT " bytes, "
- "adding %" APR_SIZE_T_FMT " more", ctx->bytes, bytes);
+ "adding %" APR_SIZE_T_FMT " more (buckets=%u)",
+ ctx->bytes, bytes, count);
/* Iterate through the prefix segment. For non-fatal errors
* in this loop it is safe to break out and fall back to the
@@ -1671,7 +1760,8 @@
if (APR_BUCKET_IS_METADATA(e)
|| e->length == (apr_size_t)-1) {
ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, f->c, APLOGNO(02012)
- "unexpected bucket type during coalesce");
+ "unexpected %s bucket during coalesce",
+ e->type->name);
break; /* non-fatal error; break out */
}

119
httpd-2.4.46-lua-resume.patch
View File

@ -1,119 +0,0 @@
diff --git a/modules/lua/config.m4 b/modules/lua/config.m4
index 29fd563..abeba1c 100644
--- a/modules/lua/config.m4
+++ b/modules/lua/config.m4
@@ -34,7 +34,7 @@ AC_DEFUN([CHECK_LUA_PATH], [dnl
fi
])
-dnl Check for Lua 5.3/5.2/5.1 Libraries
+dnl Check for Lua Libraries
dnl CHECK_LUA(ACTION-IF-FOUND [, ACTION-IF-NOT-FOUND])
dnl Sets:
dnl LUA_CFLAGS
@@ -44,7 +44,7 @@ AC_DEFUN([CHECK_LUA],
AC_ARG_WITH(
lua,
- [AC_HELP_STRING([--with-lua=PATH],[Path to the Lua 5.3/5.2/5.1 prefix])],
+ [AC_HELP_STRING([--with-lua=PATH],[Path to the Lua installation prefix])],
lua_path="$withval",
:)
diff --git a/modules/lua/mod_lua.c b/modules/lua/mod_lua.c
index 05f1e44..18b628c 100644
--- a/modules/lua/mod_lua.c
+++ b/modules/lua/mod_lua.c
@@ -342,7 +342,7 @@ static apr_status_t lua_setup_filter_ctx(ap_filter_t* f, request_rec* r, lua_fil
{
apr_pool_t *pool;
ap_lua_vm_spec *spec;
- int n, rc;
+ int n, rc, nres;
lua_State *L;
lua_filter_ctx *ctx;
ap_lua_server_cfg *server_cfg = ap_get_module_config(r->server->module_config,
@@ -410,7 +410,7 @@ static apr_status_t lua_setup_filter_ctx(ap_filter_t* f, request_rec* r, lua_fil
/* If a Lua filter is interested in filtering a request, it must first do a yield,
* otherwise we'll assume that it's not interested and pretend we didn't find it.
*/
- rc = lua_resume(L, 1);
+ rc = lua_resume(L, 1, &nres);
if (rc == LUA_YIELD) {
if (f->frec->providers == NULL) {
/* Not wired by mod_filter */
@@ -432,7 +432,7 @@ static apr_status_t lua_setup_filter_ctx(ap_filter_t* f, request_rec* r, lua_fil
static apr_status_t lua_output_filter_handle(ap_filter_t *f, apr_bucket_brigade *pbbIn)
{
request_rec *r = f->r;
- int rc;
+ int rc, nres;
lua_State *L;
lua_filter_ctx* ctx;
conn_rec *c = r->connection;
@@ -492,7 +492,7 @@ static apr_status_t lua_output_filter_handle(ap_filter_t *f, apr_bucket_brigade
lua_setglobal(L, "bucket");
/* If Lua yielded, it means we have something to pass on */
- if (lua_resume(L, 0) == LUA_YIELD) {
+ if (lua_resume(L, 0, &nres) == LUA_YIELD && nres == 1) {
size_t olen;
const char* output = lua_tolstring(L, 1, &olen);
if (olen > 0) {
@@ -524,7 +524,7 @@ static apr_status_t lua_output_filter_handle(ap_filter_t *f, apr_bucket_brigade
apr_bucket *pbktEOS;
lua_pushnil(L);
lua_setglobal(L, "bucket");
- if (lua_resume(L, 0) == LUA_YIELD) {
+ if (lua_resume(L, 0, &nres) == LUA_YIELD && nres == 1) {
apr_bucket *pbktOut;
size_t olen;
const char* output = lua_tolstring(L, 1, &olen);
@@ -558,7 +558,7 @@ static apr_status_t lua_input_filter_handle(ap_filter_t *f,
apr_off_t nBytes)
{
request_rec *r = f->r;
- int rc, lastCall = 0;
+ int rc, lastCall = 0, nres;
lua_State *L;
lua_filter_ctx* ctx;
conn_rec *c = r->connection;
@@ -621,7 +621,7 @@ static apr_status_t lua_input_filter_handle(ap_filter_t *f,
lua_setglobal(L, "bucket");
/* If Lua yielded, it means we have something to pass on */
- if (lua_resume(L, 0) == LUA_YIELD) {
+ if (lua_resume(L, 0, &nres) == LUA_YIELD && nres == 1) {
size_t olen;
const char* output = lua_tolstring(L, 1, &olen);
pbktOut = apr_bucket_heap_create(output, olen, 0, c->bucket_alloc);
@@ -643,7 +643,7 @@ static apr_status_t lua_input_filter_handle(ap_filter_t *f,
apr_bucket *pbktEOS = apr_bucket_eos_create(c->bucket_alloc);
lua_pushnil(L);
lua_setglobal(L, "bucket");
- if (lua_resume(L, 0) == LUA_YIELD) {
+ if (lua_resume(L, 0, &nres) == LUA_YIELD && nres == 1) {
apr_bucket *pbktOut;
size_t olen;
const char* output = lua_tolstring(L, 1, &olen);
diff --git a/modules/lua/mod_lua.h b/modules/lua/mod_lua.h
index 0e49cdc..72b4de7 100644
--- a/modules/lua/mod_lua.h
+++ b/modules/lua/mod_lua.h
@@ -48,7 +48,15 @@
#if LUA_VERSION_NUM > 501
/* Load mode for lua_load() */
#define lua_load(a,b,c,d) lua_load(a,b,c,d,NULL)
-#define lua_resume(a,b) lua_resume(a, NULL, b)
+
+#if LUA_VERSION_NUM > 503
+#define lua_resume(a,b,c) lua_resume(a, NULL, b, c)
+#else
+/* ### For version < 5.4, assume that exactly one stack item is on the
+ * stack, which is what the code did before but seems dubious. */
+#define lua_resume(a,b,c) (*(c) = 1, lua_resume(a, NULL, b))
+#endif
+
#define luaL_setfuncs_compat(a,b) luaL_setfuncs(a,b,0)
#else
#define lua_rawlen(L,i) lua_objlen(L, (i))

6
httpd-2.4.43-export.patch → httpd-2.4.48-export.patch
View File

@ -6,7 +6,7 @@ to do so indirectly.
Upstream: https://svn.apache.org/r1861685 (as new default-off configure option)
diff --git a/Makefile.in b/Makefile.in
index 9eeb5c7..8746a10 100644
index 40c7076..ac98e5f 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -4,8 +4,15 @@ CLEAN_SUBDIRS = test
@ -27,7 +27,7 @@ index 9eeb5c7..8746a10 100644
server/libmain.la \
$(BUILTIN_LIBS) \
diff --git a/server/Makefile.in b/server/Makefile.in
index 1fa3344..116850b 100644
index 8111877..f00bb3f 100644
--- a/server/Makefile.in
+++ b/server/Makefile.in
@@ -12,7 +12,7 @@ LTLIBRARY_SOURCES = \
@ -36,7 +36,7 @@ index 1fa3344..116850b 100644
util_charset.c util_cookies.c util_debug.c util_xml.c \
- util_filter.c util_pcre.c util_regex.c exports.c \
+ util_filter.c util_pcre.c util_regex.c \
scoreboard.c error_bucket.c protocol.c core.c request.c provider.c \
scoreboard.c error_bucket.c protocol.c core.c request.c ssl.c provider.c \
eoc_bucket.c eor_bucket.c core_filters.c \
util_expr_parse.c util_expr_scan.c util_expr_eval.c
diff --git a/server/main.c b/server/main.c

95
httpd-2.4.46-proxy-ws-idle-timeout.patch → httpd-2.4.48-proxy-ws-idle-timeout.patch
View File

@ -1,25 +1,20 @@
diff --git a/docs/manual/mod/mod_proxy_wstunnel.html.en b/docs/manual/mod/mod_proxy_wstunnel.html.en
index 7506ccb..8867578 100644
index 9f2c120..61ff7de 100644
--- a/docs/manual/mod/mod_proxy_wstunnel.html.en
+++ b/docs/manual/mod/mod_proxy_wstunnel.html.en
@@ -60,14 +60,33 @@ NONE means you bypass the check for the header but still upgrade to WebSocket.
ANY means that <code>Upgrade</code> will read in the request headers and use
in the response <code>Upgrade</code></p>
</div>
-<div id="quickview"><a href="https://www.apache.org/foundation/contributing.html" class="badge"><img src="https://www.apache.org/images/SupportApache-small.png" alt="Support Apache!" /></a><h3 class="directives">Directives</h3>
-<p>This module provides no
- directives.</p>
+<div id="quickview"><h3 class="directives">Directives</h3>
+<ul id="toc">
@@ -83,6 +83,7 @@ in the response <code>Upgrade</code></p>
<div id="quickview"><a href="https://www.apache.org/foundation/contributing.html" class="badge"><img src="https://www.apache.org/images/SupportApache-small.png" alt="Support Apache!" /></a><h3 class="directives">Directives</h3>
<ul id="toc">
<li><img alt="" src="../images/down.gif" /> <a href="#proxywebsocketfallbacktoproxyhttp">ProxyWebsocketFallbackToProxyHttp</a></li>
+<li><img alt="" src="../images/down.gif" /> <a href="#proxywebsocketidletimeout">ProxyWebsocketIdleTimeout</a></li>
+</ul>
+
</ul>
<h3>Bugfix checklist</h3><ul class="seealso"><li><a href="https://www.apache.org/dist/httpd/CHANGES_2.4">httpd changelog</a></li><li><a href="https://bz.apache.org/bugzilla/buglist.cgi?bug_status=__open__&amp;list_id=144532&amp;product=Apache%20httpd-2&amp;query_format=specific&amp;order=changeddate%20DESC%2Cpriority%2Cbug_severity&amp;component=mod_proxy_wstunnel">Known issues</a></li><li><a href="https://bz.apache.org/bugzilla/enter_bug.cgi?product=Apache%20httpd-2&amp;component=mod_proxy_wstunnel">Report a bug</a></li></ul><h3>See also</h3>
<ul class="seealso">
<li><code class="module"><a href="../mod/mod_proxy.html">mod_proxy</a></code></li>
<li><a href="#comments_section">Comments</a></li></ul></div>
@@ -108,6 +109,23 @@ in the response <code>Upgrade</code></p>
WebSocket requests as in httpd 2.4.46 and earlier.</p>
+<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
</div>
+
+<div class="directive-section"><h2><a name="ProxyWebsocketIdleTimeout" id="ProxyWebsocketIdleTimeout">ProxyWebsocketIdleTimeout</a> <a name="proxywebsocketidletimeout" id="proxywebsocketidletimeout">Directive</a> <a title="Permanent link" href="#proxywebsocketidletimeout" class="permalink">&para;</a></h2>
+<table class="directive">
+<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Sets the maximum amount of time to wait for data on the websockets tunnel</td></tr>
@ -40,21 +35,18 @@ index 7506ccb..8867578 100644
<div class="bottomlang">
<p><span>Available Languages: </span><a href="../en/mod/mod_proxy_wstunnel.html" title="English">&nbsp;en&nbsp;</a> |
diff --git a/modules/proxy/mod_proxy_wstunnel.c b/modules/proxy/mod_proxy_wstunnel.c
index fb53fe6..73da758 100644
index bcbba42..c29ded1 100644
--- a/modules/proxy/mod_proxy_wstunnel.c
+++ b/modules/proxy/mod_proxy_wstunnel.c
@@ -18,6 +18,10 @@
module AP_MODULE_DECLARE_DATA proxy_wstunnel_module;
+typedef struct {
@@ -22,6 +22,7 @@ module AP_MODULE_DECLARE_DATA proxy_wstunnel_module;
typedef struct {
unsigned int fallback_to_proxy_http :1,
fallback_to_proxy_http_set :1;
+ apr_time_t idle_timeout;
+} proxyws_dir_conf;
+
/*
* Canonicalise http-like URLs.
* scheme is the scheme for the URL
@@ -111,6 +115,8 @@ static int proxy_wstunnel_request(apr_pool_t *p, request_rec *r,
} proxyws_dir_conf;
static int can_fallback_to_proxy_http;
@@ -152,6 +153,8 @@ static int proxy_wstunnel_request(apr_pool_t *p, request_rec *r,
conn_rec *c = r->connection;
apr_socket_t *sock = conn->sock;
conn_rec *backconn = conn->connection;
@ -63,7 +55,7 @@ index fb53fe6..73da758 100644
char *buf;
apr_bucket_brigade *header_brigade;
apr_bucket *e;
@@ -188,10 +194,13 @@ static int proxy_wstunnel_request(apr_pool_t *p, request_rec *r,
@@ -229,10 +232,13 @@ static int proxy_wstunnel_request(apr_pool_t *p, request_rec *r,
c->keepalive = AP_CONN_CLOSE;
do { /* Loop until done (one side closes the connection, or an error) */
@ -78,7 +70,7 @@ index fb53fe6..73da758 100644
}
ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r, APLOGNO(02444) "error apr_poll()");
return HTTP_INTERNAL_SERVER_ERROR;
@@ -366,6 +375,38 @@ cleanup:
@@ -418,11 +424,26 @@ cleanup:
return status;
}
@ -96,37 +88,22 @@ index fb53fe6..73da758 100644
+ return NULL;
+}
+
+static void *create_proxyws_dir_config(apr_pool_t *p, char *dummy)
+{
+ proxyws_dir_conf *new =
+ (proxyws_dir_conf *) apr_pcalloc(p, sizeof(proxyws_dir_conf));
+
static void *create_proxyws_dir_config(apr_pool_t *p, char *dummy)
{
proxyws_dir_conf *new =
(proxyws_dir_conf *) apr_pcalloc(p, sizeof(proxyws_dir_conf));
+ new->idle_timeout = -1; /* no timeout */
+
+ return (void *) new;
+}
+
+static const command_rec ws_proxy_cmds[] =
+{
new->fallback_to_proxy_http = 1;
return (void *) new;
@@ -465,7 +486,8 @@ static const command_rec ws_proxy_cmds[] =
proxyws_fallback_to_proxy_http, NULL, RSRC_CONF|ACCESS_CONF,
"whether to let mod_proxy_http handle the upgrade and tunneling, "
"On by default"),
-
+ AP_INIT_TAKE1("ProxyWebsocketIdleTimeout", proxyws_set_idle, NULL, RSRC_CONF|ACCESS_CONF,
+ "timeout for activity in either direction, unlimited by default."),
+
+ {NULL}
+};
+
static void ap_proxy_http_register_hook(apr_pool_t *p)
{
proxy_hook_scheme_handler(proxy_wstunnel_handler, NULL, NULL, APR_HOOK_FIRST);
@@ -374,10 +415,10 @@ static void ap_proxy_http_register_hook(apr_pool_t *p)
AP_DECLARE_MODULE(proxy_wstunnel) = {
STANDARD20_MODULE_STUFF,
- NULL, /* create per-directory config structure */
+ create_proxyws_dir_config, /* create per-directory config structure */
NULL, /* merge per-directory config structures */
NULL, /* create per-server config structure */
NULL, /* merge per-server config structures */
- NULL, /* command apr_table_t */
+ ws_proxy_cmds, /* command apr_table_t */
ap_proxy_http_register_hook /* register hooks */
{NULL}
};

27
httpd-2.4.43-r1842929+.patch → httpd-2.4.48-r1842929+.patch
View File

@ -1,8 +1,8 @@
diff --git a/Makefile.in b/Makefile.in
index 06b8c5a..9eeb5c7 100644
index 6747aea..40c7076 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -213,6 +213,7 @@ install-cgi:
@@ -233,6 +233,7 @@ install-cgi:
install-other:
@test -d $(DESTDIR)$(logfiledir) || $(MKINSTALLDIRS) $(DESTDIR)$(logfiledir)
@test -d $(DESTDIR)$(runtimedir) || $(MKINSTALLDIRS) $(DESTDIR)$(runtimedir)
@ -11,7 +11,7 @@ index 06b8c5a..9eeb5c7 100644
file=apachecore.$$ext; \
if test -f $$file; then \
diff --git a/acinclude.m4 b/acinclude.m4
index 95232f5..5d9d669 100644
index b6ef442..98f1441 100644
--- a/acinclude.m4
+++ b/acinclude.m4
@@ -45,6 +45,7 @@ AC_DEFUN([APACHE_GEN_CONFIG_VARS],[
@ -22,7 +22,7 @@ index 95232f5..5d9d669 100644
APACHE_SUBST(other_targets)
APACHE_SUBST(progname)
APACHE_SUBST(prefix)
@@ -688,6 +689,7 @@ AC_DEFUN([APACHE_EXPORT_ARGUMENTS],[
@@ -665,6 +666,7 @@ AC_DEFUN([APACHE_EXPORT_ARGUMENTS],[
APACHE_SUBST_EXPANDED_ARG(runtimedir)
APACHE_SUBST_EXPANDED_ARG(logfiledir)
APACHE_SUBST_EXPANDED_ARG(proxycachedir)
@ -31,7 +31,7 @@ index 95232f5..5d9d669 100644
dnl
diff --git a/configure.in b/configure.in
index a63eada..c8f9aa2 100644
index 37346b2..f303784 100644
--- a/configure.in
+++ b/configure.in
@@ -41,7 +41,7 @@ dnl Something seems broken here.
@ -56,7 +56,7 @@ index 2b4a70c..e076f41 100644
#endif /* AP_CONFIG_LAYOUT_H */
diff --git a/include/http_config.h b/include/http_config.h
index f9c2d77..c229bc9 100644
index 77657ae..384a90f 100644
--- a/include/http_config.h
+++ b/include/http_config.h
@@ -757,6 +757,14 @@ AP_DECLARE(char *) ap_server_root_relative(apr_pool_t *p, const char *fname);
@ -124,10 +124,10 @@ index addfd7e..2389f8f 100644
APR_HOOK_MIDDLE);
dav_hook_find_liveprop(dav_fs_find_liveprop, NULL, NULL, APR_HOOK_MIDDLE);
diff --git a/server/core.c b/server/core.c
index 3db9d61..79b2a82 100644
index d135764..c2176b9 100644
--- a/server/core.c
+++ b/server/core.c
@@ -129,6 +129,8 @@ AP_DECLARE_DATA int ap_main_state = AP_SQ_MS_INITIAL_STARTUP;
@@ -142,6 +142,8 @@ AP_DECLARE_DATA int ap_main_state = AP_SQ_MS_INITIAL_STARTUP;
AP_DECLARE_DATA int ap_run_mode = AP_SQ_RM_UNKNOWN;
AP_DECLARE_DATA int ap_config_generation = 0;
@ -136,7 +136,7 @@ index 3db9d61..79b2a82 100644
static void *create_core_dir_config(apr_pool_t *a, char *dir)
{
core_dir_config *conf;
@@ -1409,12 +1411,15 @@ AP_DECLARE(const char *) ap_resolve_env(apr_pool_t *p, const char * word)
@@ -1444,13 +1446,16 @@ AP_DECLARE(const char *) ap_resolve_env(apr_pool_t *p, const char * word)
return res_buf;
}
@ -147,6 +147,7 @@ index 3db9d61..79b2a82 100644
ap_server_config_defines = saved_server_config_defines;
saved_server_config_defines = NULL;
server_config_defined_vars = NULL;
ap_runtime_dir = NULL;
- return OK;
+ core_state_dir = NULL;
+
@ -154,7 +155,7 @@ index 3db9d61..79b2a82 100644
}
/*
@@ -3120,6 +3125,24 @@ static const char *set_runtime_dir(cmd_parms *cmd, void *dummy, const char *arg)
@@ -3220,6 +3225,24 @@ static const char *set_runtime_dir(cmd_parms *cmd, void *dummy, const char *arg)
return NULL;
}
@ -179,7 +180,7 @@ index 3db9d61..79b2a82 100644
static const char *set_timeout(cmd_parms *cmd, void *dummy, const char *arg)
{
const char *err = ap_check_cmd_context(cmd, NOT_IN_DIR_CONTEXT);
@@ -4414,6 +4437,8 @@ AP_INIT_TAKE1("ServerRoot", set_server_root, NULL, RSRC_CONF | EXEC_ON_READ,
@@ -4521,6 +4544,8 @@ AP_INIT_TAKE1("ServerRoot", set_server_root, NULL, RSRC_CONF | EXEC_ON_READ,
"Common directory of server-related files (logs, confs, etc.)"),
AP_INIT_TAKE1("DefaultRuntimeDir", set_runtime_dir, NULL, RSRC_CONF | EXEC_ON_READ,
"Common directory for run-time files (shared memory, locks, etc.)"),
@ -188,7 +189,7 @@ index 3db9d61..79b2a82 100644
AP_INIT_TAKE1("ErrorLog", set_server_string_slot,
(void *)APR_OFFSETOF(server_rec, error_fname), RSRC_CONF,
"The filename of the error log"),
@@ -4941,8 +4966,7 @@ static int core_pre_config(apr_pool_t *pconf, apr_pool_t *plog, apr_pool_t *ptem
@@ -5055,8 +5080,7 @@ static int core_pre_config(apr_pool_t *pconf, apr_pool_t *plog, apr_pool_t *ptem
if (!saved_server_config_defines)
init_config_defines(pconf);
@ -198,7 +199,7 @@ index 3db9d61..79b2a82 100644
ap_regcomp_set_default_cflags(AP_REG_DEFAULT);
@@ -5170,6 +5194,27 @@ AP_DECLARE(int) ap_state_query(int query)
@@ -5303,6 +5327,27 @@ AP_DECLARE(int) ap_state_query(int query)
}
}

20
httpd.spec
View File

@ -12,8 +12,8 @@
Summary: Apache HTTP Server
Name: httpd
Version: 2.4.46
Release: 15%{?dist}
Version: 2.4.48
Release: 1%{?dist}
URL: https://httpd.apache.org/
Source0: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2
Source1: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2.asc
@ -68,9 +68,9 @@ Patch3: httpd-2.4.43-deplibs.patch
# Needed for socket activation and mod_systemd patch
Patch19: httpd-2.4.43-detect-systemd.patch
# Features/functional changes
Patch21: httpd-2.4.43-r1842929+.patch
Patch21: httpd-2.4.48-r1842929+.patch
Patch22: httpd-2.4.43-mod_systemd.patch
Patch23: httpd-2.4.43-export.patch
Patch23: httpd-2.4.48-export.patch
Patch24: httpd-2.4.43-corelimit.patch
Patch25: httpd-2.4.43-selinux.patch
Patch26: httpd-2.4.43-gettid.patch
@ -83,10 +83,8 @@ Patch39: httpd-2.4.43-sslprotdefault.patch
Patch40: httpd-2.4.43-r1861269.patch
Patch41: httpd-2.4.43-r1861793+.patch
Patch42: httpd-2.4.43-r1828172+.patch
Patch43: httpd-2.4.43-sslcoalesce.patch
Patch44: httpd-2.4.46-lua-resume.patch
Patch45: httpd-2.4.43-logjournal.patch
Patch46: httpd-2.4.46-proxy-ws-idle-timeout.patch
Patch46: httpd-2.4.48-proxy-ws-idle-timeout.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=1949969
Patch47: httpd-2.4.43-pr37355.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=1949606
@ -96,7 +94,6 @@ Patch48: httpd-2.4.46-freebind.patch
# Bug fixes
# https://bugzilla.redhat.com/show_bug.cgi?id=1397243
Patch60: httpd-2.4.43-enable-sslv3.patch
Patch62: httpd-2.4.43-r1870095+.patch
Patch63: httpd-2.4.46-htcacheclean-dont-break.patch
# Security fixes
@ -242,15 +239,12 @@ written in the Lua programming language.
%patch40 -p1 -b .r1861269
%patch41 -p1 -b .r1861793+
%patch42 -p1 -b .r1828172+
%patch43 -p1 -b .sslcoalesce
%patch44 -p1 -b .luaresume
%patch45 -p1 -b .logjournal
%patch46 -p1 -b .proxy-ws-idle-timeout
%patch47 -p1 -b .pr37355
%patch48 -p1 -b .freebind
%patch60 -p1 -b .enable-sslv3
%patch62 -p1 -b .r1870095
%patch63 -p1 -b .htcacheclean-dont-break
# Patch in the vendor string
@ -793,6 +787,10 @@ exit $rv
%{_rpmconfigdir}/macros.d/macros.httpd
%changelog
* Wed Jun 02 2021 Luboš Uhliarik <luhliari@redhat.com> - 2.4.48-1
- new version 2.4.48
- Resolves: #1952817 - rebase to 2.4.48
* Wed May 26 2021 Luboš Uhliarik <luhliari@redhat.com> - 2.4.46-15
- Resolves: #1949606 - RFE: httpd, add IP_FREEBIND support for Listen

4
sources
View File

@ -1,3 +1,3 @@
SHA512 (httpd-2.4.46.tar.bz2) = 5936784bb662e9d8a4f7fe38b70c043b468114d931cd10ea831bfe74461ea5856b64f88f42c567ab791fc8907640a99884ba4b6a600f86d661781812735b6f13
SHA512 (httpd-2.4.46.tar.bz2.asc) = 1f54c20d1aeedb7c745eb72acd79e1ed61d547b22c3dbe53cd3274ed3d897543cd8c49181d4b15d79c12755746cf0a2464d620f69e254ac3f998760133094df0
SHA512 (httpd-2.4.48.tar.bz2) = 6c250626f1e7d10428a92d984fd48ff841effcc8705f7816ab71b681bbd51d0012ad158dcd13763fe7d630311f2de258b27574603140d648be42796ab8326724
SHA512 (httpd-2.4.48.tar.bz2.asc) = 9f125de75107b04dd01f71e9e233b1602658b49e38371931b98dc1092be8df05cf7243b5564fa2f56f46544bef61a54a721dee5ca17ce823a2302a7c3698a195
SHA512 (KEYS) = 7ab66c64eaa4a152e88a913993c8ea0d9c46fd5865788e7b32a9619784d245cef8bddd9700368e3d63ce88ed94df8933e5892878523dc0fce697331136bb829e