rpms
/
httpd
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import httpd-2.4.37-41.module+el8.5.0+11772+c8e0c271

This commit is contained in:
CentOS Sources 2021-10-06 04:05:15 -04:00 committed by Stepan Oksanichenko
parent 6cfd06b200
commit 62f7ec2287
14 changed files with 1494 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
.gitignore vendored
View File

@ -1,4 +1,2 @@
SOURCES/htcacheclean.service.xml
SOURCES/apache-poweredby.png
SOURCES/httpd-2.4.37.tar.bz2
SOURCES/httpd.conf.xml
SOURCES/httpd.service.xml

4
.httpd.metadata
View File

@ -1,4 +1,2 @@
a34c31169efbe6140496c37801489610461bdf9b SOURCES/htcacheclean.service.xml
3a7449d6cff00e5ccb3ed8571f34c0528555d38f SOURCES/apache-poweredby.png
4a38471de821288b0300148016f2b03dfee8adf2 SOURCES/httpd-2.4.37.tar.bz2
fa18caadd0afbddc2c7a7fc404bf4f2b41867148 SOURCES/httpd.conf.xml
888df830bdc465de3bced6f075c33380018e544f SOURCES/httpd.service.xml

123
SOURCES/htcacheclean.service.xml Normal file
View File

@ -0,0 +1,123 @@
<?xml version='1.0' encoding='utf-8'?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
]>
<!--
Copyright 2018 Red Hat, Inc.
Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed with
this work for additional information regarding copyright ownership.
The ASF licenses this file to You under the Apache License, Version 2.0
(the "License"); you may not use this file except in compliance with
the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language overning permissions and
limitations under the License.
-->
<refentry>
<refentryinfo>
<title>htcacheclean systemd unit</title>
<productname>httpd</productname>
<author><contrib>Author</contrib><surname>Orton</surname><firstname>Joe</firstname><email>jorton@redhat.com</email></author>
</refentryinfo>
<refmeta>
<refentrytitle>htcacheclean.service</refentrytitle>
<manvolnum>8</manvolnum>
</refmeta>
<refnamediv>
<refname>htcacheclean.service</refname>
<refpurpose>htcacheclean unit file for systemd</refpurpose>
</refnamediv>
<refsynopsisdiv>
<para>
<filename>/usr/lib/systemd/system/htcacheclean.service</filename>
</para>
</refsynopsisdiv>
<refsect1>
<title>Description</title>
<para>This manual page describes the <command>systemd</command>
unit file for the <command>htcacheclean</command> daemon. This
unit file provides a service which runs
<command>htcacheclean</command> in daemon mode,
periodically cleaning the disk cache root to ensure disk space
usage is within configured limits.</para>
</refsect1>
<refsect1>
<title>Options</title>
<para>The service is configured by configuration file
<filename>/etc/sysconfig/htcacheclean</filename>. The following
variables are used, following standard <command>systemd</command>
<varname>EnvironmentFile=</varname> syntax:</para>
<variablelist>
<varlistentry>
<term><varname>INTERVAL=</varname></term>
<listitem><para>Sets the interval between cache clean runs, in
minutes. By default this is configured as
<emphasis>15</emphasis>.</para></listitem>
</varlistentry>
<varlistentry>
<term><varname>CACHE_ROOT=</varname></term>
<listitem><para>Sets the directory name used for the cache
root. By default this is configured as
<filename>/var/cache/httpd/proxy</filename>.</para></listitem>
</varlistentry>
<varlistentry>
<term><varname>LIMIT=</varname></term>
<listitem><para>Sets the total disk cache space limit, in
bytes. Use a <emphasis>K</emphasis> or <emphasis>M</emphasis>
suffix to signify kilobytes or megabytes. By default this is
set to <emphasis>100M</emphasis>.</para></listitem>
</varlistentry>
<varlistentry>
<term><varname>OPTIONS=</varname></term>
<listitem><para>Any other options to pass to
<command>htcacheclean</command>.</para></listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1>
<title>Files</title>
<para><filename>/usr/lib/systemd/system/htcacheclean.service</filename>,
<filename>/etc/sysconfig/htcacheclean</filename></para>
</refsect1>
<refsect1>
<title>See also</title>
<para>
<citerefentry><refentrytitle>htcacheclean</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
<citerefentry><refentrytitle>httpd</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
<citerefentry><refentrytitle>httpd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
<citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>8</manvolnum></citerefentry>
</para>
</refsect1>
</refentry>
<!-- LocalWords: systemd httpd htcacheclean
-->

14
SOURCES/httpd-2.4.37-CVE-2021-26690.patch Normal file
View File

@ -0,0 +1,14 @@
diff --git a/modules/session/mod_session.c b/modules/session/mod_session.c
index 7ee477c..049255d 100644
--- a/modules/session/mod_session.c
+++ b/modules/session/mod_session.c
@@ -404,8 +404,8 @@ static apr_status_t session_identity_decode(request_rec * r, session_rec * z)
char *plast = NULL;
const char *psep = "=";
char *key = apr_strtok(pair, psep, &plast);
- char *val = apr_strtok(NULL, psep, &plast);
if (key && *key) {
+ char *val = apr_strtok(NULL, sep, &plast);
if (!val || !*val) {
apr_table_unset(z->entries, key);
}

44
SOURCES/httpd-2.4.37-CVE-2021-30641.patch Normal file
View File

@ -0,0 +1,44 @@
diff --git a/server/request.c b/server/request.c
index d5c558a..18625af 100644
--- a/server/request.c
+++ b/server/request.c
@@ -1419,7 +1419,20 @@ AP_DECLARE(int) ap_location_walk(request_rec *r)
cache = prep_walk_cache(AP_NOTE_LOCATION_WALK, r);
cached = (cache->cached != NULL);
- entry_uri = r->uri;
+
+ /*
+ * When merge_slashes is set to AP_CORE_CONFIG_OFF the slashes in r->uri
+ * have not been merged. But for Location walks we always go with merged
+ * slashes no matter what merge_slashes is set to.
+ */
+ if (sconf->merge_slashes != AP_CORE_CONFIG_OFF) {
+ entry_uri = r->uri;
+ }
+ else {
+ char *uri = apr_pstrdup(r->pool, r->uri);
+ ap_no2slash(uri);
+ entry_uri = uri;
+ }
/* If we have an cache->cached location that matches r->uri,
* and the vhost's list of locations hasn't changed, we can skip
@@ -1486,7 +1499,7 @@ AP_DECLARE(int) ap_location_walk(request_rec *r)
pmatch = apr_palloc(rxpool, nmatch*sizeof(ap_regmatch_t));
}
- if (ap_regexec(entry_core->r, entry_uri, nmatch, pmatch, 0)) {
+ if (ap_regexec(entry_core->r, r->uri, nmatch, pmatch, 0)) {
continue;
}
@@ -1496,7 +1509,7 @@ AP_DECLARE(int) ap_location_walk(request_rec *r)
apr_table_setn(r->subprocess_env,
((const char **)entry_core->refs->elts)[i],
apr_pstrndup(r->pool,
- entry_uri + pmatch[i].rm_so,
+ r->uri + pmatch[i].rm_so,
pmatch[i].rm_eo - pmatch[i].rm_so));
}
}

2
SOURCES/httpd-2.4.37-proxy-ws-idle-timeout.patch
View File

@ -20,7 +20,7 @@ index 21ffbe2..16e1628 100644
<li><a href="#comments_section">Comments</a></li></ul></div>
+<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
+<div class="directive-section"><h2><a name="ProxyWebsocketIdleTimeout" id="ProxyWebsocketIdleTimeout">ProxyWebsocketIdleTimeout</a> <a name="proxywebsocketidletimeout
+<div class="directive-section"><h2><a name="ProxyWebsocketIdleTimeout" id="ProxyWebsocketIdleTimeout">ProxyWebsocketIdleTimeout</a> <a name="proxywebsocketidletimeout" id="proxywebsocketidletimeout">Directive</a> <a title="Permanent link" href="#proxywebsocketidletimeout" class="permalink">&para;</a></h2>
+<table class="directive">
+<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Sets the maximum amount of time to wait for data on the websockets tunnel</td></tr>
+<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>ProxyWebsocketIdleTimeout <var>num</var>[ms]</code></td></tr>

48
SOURCES/httpd-2.4.37-r1845768+.patch Normal file
View File

@ -0,0 +1,48 @@
diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c
index 70d151e..e4f5fc8 100644
--- a/modules/ssl/ssl_engine_init.c
+++ b/modules/ssl/ssl_engine_init.c
@@ -1095,7 +1095,9 @@ static apr_status_t ssl_init_ctx_crl(server_rec *s,
/*
* Read a file that optionally contains the server certificate in PEM
* format, possibly followed by a sequence of CA certificates that
- * should be sent to the peer in the SSL Certificate message.
+ * should be sent to the peer in the SSL Certificate message. Returns
+ * 0 on success, otherwise the OpenSSL error stack contents should be
+ * reported.
*/
static int use_certificate_chain(
SSL_CTX *ctx, char *file, int skipfirst, pem_password_cb *cb)
@@ -1128,8 +1130,10 @@ static int use_certificate_chain(
ctx->extra_certs = NULL;
}
#endif
+
/* create new extra chain by loading the certs */
n = 0;
+ ERR_clear_error();
while ((x509 = PEM_read_bio_X509(bio, NULL, cb, NULL)) != NULL) {
if (!SSL_CTX_add_extra_chain_cert(ctx, x509)) {
X509_free(x509);
@@ -1190,6 +1194,7 @@ static apr_status_t ssl_init_ctx_cert_chain(server_rec *s,
if (n < 0) {
ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(01903)
"Failed to configure CA certificate chain!");
+ ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s);
return ssl_die(s);
}
diff --git a/modules/ssl/ssl_util_ocsp.c b/modules/ssl/ssl_util_ocsp.c
index b11a6e9..b66e151 100644
--- a/modules/ssl/ssl_util_ocsp.c
+++ b/modules/ssl/ssl_util_ocsp.c
@@ -363,7 +363,9 @@ static STACK_OF(X509) *modssl_read_ocsp_certificates(const char *file)
BIO_free(bio);
return NULL;
}
+
/* create new extra chain by loading the certs */
+ ERR_clear_error();
while ((x509 = PEM_read_bio_X509(bio, NULL, NULL, NULL)) != NULL) {
if (!other_certs) {
other_certs = sk_X509_new_null();

265
SOURCES/httpd-2.4.37-r1873907.patch Normal file
View File

@ -0,0 +1,265 @@
diff --git a/docs/manual/mod/mod_ssl.html.en b/docs/manual/mod/mod_ssl.html.en
index b543150..ab72d4f 100644
--- a/docs/manual/mod/mod_ssl.html.en
+++ b/docs/manual/mod/mod_ssl.html.en
@@ -1524,6 +1524,32 @@ The available (case-insensitive) <em>protocol</em>s are:</p>
<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">SSLProtocol TLSv1</pre>
</div>
+<div class="note">
+<h3><code class="directive">SSLProtocol</code> for name-based virtual hosts</h3>
+<p>
+Before OpenSSL 1.1.1, even though the Server Name Indication (SNI) allowed to
+determine the targeted virtual host early in the TLS handshake, it was not
+possible to switch the TLS protocol version of the connection at this point,
+and thus the <code class="directive">SSLProtocol</code> negotiated was always based off
+the one of the <em>base virtual host</em> (first virtual host declared on the
+listening <code>IP:port</code> of the connection).
+</p>
+<p>
+Beginning with Apache HTTP server version 2.4.42, when built/linked against
+OpenSSL 1.1.1 or later, and when the SNI is provided by the client in the TLS
+handshake, the <code class="directive">SSLProtocol</code> of each (name-based) virtual
+host can and will be honored.
+</p>
+<p>
+For compatibility with previous versions, if no
+<code class="directive">SSLProtocol</code> is configured in a name-based virtual host,
+the one from the base virtual host still applies, <strong>unless</strong>
+<code class="directive">SSLProtocol</code> is configured globally in which case the
+global value applies (this latter exception is more sensible than compatible,
+though).
+</p>
+</div>
+
</div>
<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="directive-section"><h2><a name="SSLProxyCACertificateFile" id="SSLProxyCACertificateFile">SSLProxyCACertificateFile</a> <a name="sslproxycacertificatefile" id="sslproxycacertificatefile">Directive</a></h2>
diff --git a/modules/ssl/ssl_engine_config.c b/modules/ssl/ssl_engine_config.c
index 0c4bf1f..ca5f702 100644
--- a/modules/ssl/ssl_engine_config.c
+++ b/modules/ssl/ssl_engine_config.c
@@ -269,6 +269,7 @@ static void modssl_ctx_cfg_merge(apr_pool_t *p,
mrg->protocol_set = 1;
}
else {
+ mrg->protocol_set = base->protocol_set;
mrg->protocol = base->protocol;
}
diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c
index 31062bc..70d151e 100644
--- a/modules/ssl/ssl_engine_init.c
+++ b/modules/ssl/ssl_engine_init.c
@@ -520,7 +520,9 @@ static apr_status_t ssl_init_ctx_tls_extensions(server_rec *s,
"Configuring TLS extension handling");
/*
- * Server name indication (SNI)
+ * The Server Name Indication (SNI) provided by the ClientHello can be
+ * used to select the right (name-based-)vhost and its SSL configuration
+ * before the handshake takes place.
*/
if (!SSL_CTX_set_tlsext_servername_callback(mctx->ssl_ctx,
ssl_callback_ServerNameIndication) ||
@@ -532,6 +534,16 @@ static apr_status_t ssl_init_ctx_tls_extensions(server_rec *s,
return ssl_die(s);
}
+#if OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined(LIBRESSL_VERSION_NUMBER)
+ /*
+ * The ClientHello callback also allows to retrieve the SNI, but since it
+ * runs at the earliest possible connection stage we can even set the TLS
+ * protocol version(s) according to the selected (name-based-)vhost, which
+ * is not possible at the SNI callback stage (due to OpenSSL internals).
+ */
+ SSL_CTX_set_client_hello_cb(mctx->ssl_ctx, ssl_callback_ClientHello, NULL);
+#endif
+
#ifdef HAVE_OCSP_STAPLING
/*
* OCSP Stapling support, status_request extension
@@ -708,7 +720,7 @@ static apr_status_t ssl_init_ctx_protocol(server_rec *s,
#else /* #if OPENSSL_VERSION_NUMBER < 0x10100000L */
/* We first determine the maximum protocol version we should provide */
#if SSL_HAVE_PROTOCOL_TLSV1_3
- if (SSL_HAVE_PROTOCOL_TLSV1_3 && (protocol & SSL_PROTOCOL_TLSV1_3)) {
+ if (protocol & SSL_PROTOCOL_TLSV1_3) {
prot = TLS1_3_VERSION;
} else
#endif
diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c
index 8b44674..7313a55 100644
--- a/modules/ssl/ssl_engine_kernel.c
+++ b/modules/ssl/ssl_engine_kernel.c
@@ -2357,28 +2357,31 @@ static apr_status_t set_challenge_creds(conn_rec *c, const char *servername,
* This function sets the virtual host from an extended
* client hello with a server name indication extension ("SNI", cf. RFC 6066).
*/
-static apr_status_t init_vhost(conn_rec *c, SSL *ssl)
+static apr_status_t init_vhost(conn_rec *c, SSL *ssl, const char *servername)
{
- const char *servername;
X509 *cert;
EVP_PKEY *key;
if (c) {
SSLConnRec *sslcon = myConnConfig(c);
-
- if (sslcon->server != c->base_server) {
- /* already found the vhost */
- return APR_SUCCESS;
+
+ if (sslcon->vhost_found) {
+ /* already found the vhost? */
+ return sslcon->vhost_found > 0 ? APR_SUCCESS : APR_NOTFOUND;
}
+ sslcon->vhost_found = -1;
- servername = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name);
+ if (!servername) {
+ servername = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name);
+ }
if (servername) {
if (ap_vhost_iterate_given_conn(c, ssl_find_vhost,
(void *)servername)) {
ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c, APLOGNO(02043)
"SSL virtual host for servername %s found",
servername);
-
+
+ sslcon->vhost_found = +1;
return APR_SUCCESS;
}
else if (ssl_is_challenge(c, servername, &cert, &key)) {
@@ -2428,11 +2431,72 @@ static apr_status_t init_vhost(conn_rec *c, SSL *ssl)
int ssl_callback_ServerNameIndication(SSL *ssl, int *al, modssl_ctx_t *mctx)
{
conn_rec *c = (conn_rec *)SSL_get_app_data(ssl);
- apr_status_t status = init_vhost(c, ssl);
+ apr_status_t status = init_vhost(c, ssl, NULL);
return (status == APR_SUCCESS)? SSL_TLSEXT_ERR_OK : SSL_TLSEXT_ERR_NOACK;
}
+#if OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined(LIBRESSL_VERSION_NUMBER)
+/*
+ * This callback function is called when the ClientHello is received.
+ */
+int ssl_callback_ClientHello(SSL *ssl, int *al, void *arg)
+{
+ char *servername = NULL;
+ conn_rec *c = (conn_rec *)SSL_get_app_data(ssl);
+ const unsigned char *pos;
+ size_t len, remaining;
+ (void)arg;
+
+ /* We can't use SSL_get_servername() at this earliest OpenSSL connection
+ * stage, and there is no SSL_client_hello_get0_servername() provided as
+ * of OpenSSL 1.1.1. So the code below, that extracts the SNI from the
+ * ClientHello's TLS extensions, is taken from some test code in OpenSSL,
+ * i.e. client_hello_select_server_ctx() in "test/handshake_helper.c".
+ */
+
+ /*
+ * The server_name extension was given too much extensibility when it
+ * was written, so parsing the normal case is a bit complex.
+ */
+ if (!SSL_client_hello_get0_ext(ssl, TLSEXT_TYPE_server_name, &pos,
+ &remaining)
+ || remaining <= 2)
+ goto give_up;
+
+ /* Extract the length of the supplied list of names. */
+ len = (*(pos++) << 8);
+ len += *(pos++);
+ if (len + 2 != remaining)
+ goto give_up;
+ remaining = len;
+
+ /*
+ * The list in practice only has a single element, so we only consider
+ * the first one.
+ */
+ if (remaining <= 3 || *pos++ != TLSEXT_NAMETYPE_host_name)
+ goto give_up;
+ remaining--;
+
+ /* Now we can finally pull out the byte array with the actual hostname. */
+ len = (*(pos++) << 8);
+ len += *(pos++);
+ if (len + 2 != remaining)
+ goto give_up;
+
+ /* Use the SNI to switch to the relevant vhost, should it differ from
+ * c->base_server.
+ */
+ servername = apr_pstrmemdup(c->pool, (const char *)pos, len);
+
+give_up:
+ init_vhost(c, ssl, servername);
+ return SSL_CLIENT_HELLO_SUCCESS;
+}
+#endif /* OPENSSL_VERSION_NUMBER < 0x10101000L */
+
+
/*
* Find a (name-based) SSL virtual host where either the ServerName
* or one of the ServerAliases matches the supplied name (to be used
@@ -2452,12 +2516,25 @@ static int ssl_find_vhost(void *servername, conn_rec *c, server_rec *s)
if (found && (ssl = sslcon->ssl) &&
(sc = mySrvConfig(s))) {
SSL_CTX *ctx = SSL_set_SSL_CTX(ssl, sc->server->ssl_ctx);
+
/*
* SSL_set_SSL_CTX() only deals with the server cert,
* so we need to duplicate a few additional settings
* from the ctx by hand
*/
SSL_set_options(ssl, SSL_CTX_get_options(ctx));
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L \
+ && (!defined(LIBRESSL_VERSION_NUMBER) \
+ || LIBRESSL_VERSION_NUMBER >= 0x20800000L)
+ /*
+ * Don't switch the protocol if none is configured for this vhost,
+ * the default in this case is still the base server's SSLProtocol.
+ */
+ if (myCtxConfig(sslcon, sc)->protocol_set) {
+ SSL_set_min_proto_version(ssl, SSL_CTX_get_min_proto_version(ctx));
+ SSL_set_max_proto_version(ssl, SSL_CTX_get_max_proto_version(ctx));
+ }
+#endif
if ((SSL_get_verify_mode(ssl) == SSL_VERIFY_NONE) ||
(SSL_num_renegotiations(ssl) == 0)) {
/*
@@ -2654,7 +2731,7 @@ int ssl_callback_alpn_select(SSL *ssl,
* they callback the SNI. We need to make sure that we know which vhost
* we are dealing with so we respect the correct protocols.
*/
- init_vhost(c, ssl);
+ init_vhost(c, ssl, NULL);
proposed = ap_select_protocol(c, NULL, sslconn->server, client_protos);
if (!proposed) {
diff --git a/modules/ssl/ssl_private.h b/modules/ssl/ssl_private.h
index 8055200..f8a1db7 100644
--- a/modules/ssl/ssl_private.h
+++ b/modules/ssl/ssl_private.h
@@ -563,6 +563,7 @@ typedef struct {
const char *cipher_suite; /* cipher suite used in last reneg */
int service_unavailable; /* thouugh we negotiate SSL, no requests will be served */
+ int vhost_found; /* whether we found vhost from SNI already */
} SSLConnRec;
/* BIG FAT WARNING: SSLModConfigRec has unusual memory lifetime: it is
@@ -946,6 +947,9 @@ void ssl_callback_Info(const SSL *, int, int);
#ifdef HAVE_TLSEXT
int ssl_callback_ServerNameIndication(SSL *, int *, modssl_ctx_t *);
#endif
+#if OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined(LIBRESSL_VERSION_NUMBER)
+int ssl_callback_ClientHello(SSL *, int *, void *);
+#endif
#ifdef HAVE_TLS_SESSION_TICKETS
int ssl_callback_SessionTicket(SSL *, unsigned char *, unsigned char *,
EVP_CIPHER_CTX *, HMAC_CTX *, int);

188
SOURCES/httpd-2.4.37-reply-two-tls-rec.patch Normal file
View File

@ -0,0 +1,188 @@
diff --git a/modules/ssl/ssl_engine_io.c b/modules/ssl/ssl_engine_io.c
index 018b667..4e3875a 100644
--- a/modules/ssl/ssl_engine_io.c
+++ b/modules/ssl/ssl_engine_io.c
@@ -1598,18 +1598,32 @@ static apr_status_t ssl_io_filter_input(ap_filter_t *f,
}
-/* ssl_io_filter_output() produces one SSL/TLS message per bucket
+/* ssl_io_filter_output() produces one SSL/TLS record per bucket
* passed down the output filter stack. This results in a high
- * overhead (network packets) for any output comprising many small
- * buckets. SSI page applied through the HTTP chunk filter, for
- * example, may produce many brigades containing small buckets -
- * [chunk-size CRLF] [chunk-data] [CRLF].
+ * overhead (more network packets & TLS processing) for any output
+ * comprising many small buckets. SSI output passed through the HTTP
+ * chunk filter, for example, may produce many brigades containing
+ * small buckets - [chunk-size CRLF] [chunk-data] [CRLF].
*
- * The coalescing filter merges many small buckets into larger buckets
- * where possible, allowing the SSL I/O output filter to handle them
- * more efficiently. */
+ * Sending HTTP response headers as a separate TLS record to the
+ * response body also reveals information to a network observer (the
+ * size of headers) which can be significant.
+ *
+ * The coalescing filter merges data buckets with the aim of producing
+ * fewer, larger TLS records - without copying/buffering all content
+ * and introducing unnecessary overhead.
+ *
+ * ### This buffering could be probably be done more comprehensively
+ * ### in ssl_io_filter_output itself.
+ *
+ * ### Another possible performance optimisation in particular for the
+ * ### [HEAP] [FILE] HTTP response case is using a brigade rather than
+ * ### a char array to buffer; using apr_brigade_write() to append
+ * ### will use already-allocated memory from the HEAP, reducing # of
+ * ### copies.
+ */
-#define COALESCE_BYTES (2048)
+#define COALESCE_BYTES (AP_IOBUFSIZE)
struct coalesce_ctx {
char buffer[COALESCE_BYTES];
@@ -1622,11 +1636,12 @@ static apr_status_t ssl_io_filter_coalesce(ap_filter_t *f,
apr_bucket *e, *upto;
apr_size_t bytes = 0;
struct coalesce_ctx *ctx = f->ctx;
+ apr_size_t buffered = ctx ? ctx->bytes : 0; /* space used on entry */
unsigned count = 0;
/* The brigade consists of zero-or-more small data buckets which
- * can be coalesced (the prefix), followed by the remainder of the
- * brigade.
+ * can be coalesced (referred to as the "prefix"), followed by the
+ * remainder of the brigade.
*
* Find the last bucket - if any - of that prefix. count gives
* the number of buckets in the prefix. The "prefix" must contain
@@ -1641,24 +1656,97 @@ static apr_status_t ssl_io_filter_coalesce(ap_filter_t *f,
e != APR_BRIGADE_SENTINEL(bb)
&& !APR_BUCKET_IS_METADATA(e)
&& e->length != (apr_size_t)-1
- && e->length < COALESCE_BYTES
- && (bytes + e->length) < COALESCE_BYTES
- && (ctx == NULL
- || bytes + ctx->bytes + e->length < COALESCE_BYTES);
+ && e->length <= COALESCE_BYTES
+ && (buffered + bytes + e->length) <= COALESCE_BYTES;
e = APR_BUCKET_NEXT(e)) {
if (e->length) count++; /* don't count zero-length buckets */
bytes += e->length;
}
+
+ /* If there is room remaining and the next bucket is a data
+ * bucket, try to include it in the prefix to coalesce. For a
+ * typical [HEAP] [FILE] HTTP response brigade, this handles
+ * merging the headers and the start of the body into a single TLS
+ * record. */
+ if (bytes + buffered > 0
+ && bytes + buffered < COALESCE_BYTES
+ && e != APR_BRIGADE_SENTINEL(bb)
+ && !APR_BUCKET_IS_METADATA(e)) {
+ apr_status_t rv = APR_SUCCESS;
+
+ /* For an indeterminate length bucket (PIPE/CGI/...), try a
+ * non-blocking read to have it morph into a HEAP. If the
+ * read fails with EAGAIN, it is harmless to try a split
+ * anyway, split is ENOTIMPL for most PIPE-like buckets. */
+ if (e->length == (apr_size_t)-1) {
+ const char *discard;
+ apr_size_t ignore;
+
+ rv = apr_bucket_read(e, &discard, &ignore, APR_NONBLOCK_READ);
+ if (rv != APR_SUCCESS && !APR_STATUS_IS_EAGAIN(rv)) {
+ ap_log_cerror(APLOG_MARK, APLOG_ERR, rv, f->c, APLOGNO(10232)
+ "coalesce failed to read from %s bucket",
+ e->type->name);
+ return AP_FILTER_ERROR;
+ }
+ }
+
+ if (rv == APR_SUCCESS) {
+ /* If the read above made the bucket morph, it may now fit
+ * entirely within the buffer. Otherwise, split it so it does
+ * fit. */
+ if (e->length > COALESCE_BYTES
+ || e->length + buffered + bytes > COALESCE_BYTES) {
+ rv = apr_bucket_split(e, COALESCE_BYTES - (buffered + bytes));
+ }
+
+ if (rv == APR_SUCCESS && e->length == 0) {
+ /* As above, don't count in the prefix if the bucket is
+ * now zero-length. */
+ }
+ else if (rv == APR_SUCCESS) {
+ ap_log_cerror(APLOG_MARK, APLOG_TRACE4, 0, f->c,
+ "coalesce: adding %" APR_SIZE_T_FMT " bytes "
+ "from split %s bucket, total %" APR_SIZE_T_FMT,
+ e->length, e->type->name, bytes + buffered);
+
+ count++;
+ bytes += e->length;
+ e = APR_BUCKET_NEXT(e);
+ }
+ else if (rv != APR_ENOTIMPL) {
+ ap_log_cerror(APLOG_MARK, APLOG_ERR, rv, f->c, APLOGNO(10233)
+ "coalesce: failed to split data bucket");
+ return AP_FILTER_ERROR;
+ }
+ }
+ }
+
+ /* The prefix is zero or more buckets. upto now points to the
+ * bucket AFTER the end of the prefix, which may be the brigade
+ * sentinel. */
upto = e;
- /* Coalesce the prefix, if:
- * a) more than one bucket is found to coalesce, or
- * b) the brigade contains only a single data bucket, or
- * c) the data bucket is not last but we have buffered data already.
+ /* Coalesce the prefix, if any of the following are true:
+ *
+ * a) the prefix is more than one bucket
+ * OR
+ * b) the prefix is the entire brigade, which is a single bucket
+ * AND the prefix length is smaller than the buffer size,
+ * OR
+ * c) the prefix is a single bucket
+ * AND there is buffered data from a previous pass.
+ *
+ * The aim with (b) is to buffer a small bucket so it can be
+ * coalesced with future invocations of this filter. e.g. three
+ * calls each with a single 100 byte HEAP bucket should get
+ * coalesced together. But an invocation with a 8192 byte HEAP
+ * should pass through untouched.
*/
if (bytes > 0
&& (count > 1
- || (upto == APR_BRIGADE_SENTINEL(bb))
+ || (upto == APR_BRIGADE_SENTINEL(bb)
+ && bytes < COALESCE_BYTES)
|| (ctx && ctx->bytes > 0))) {
/* If coalescing some bytes, ensure a context has been
* created. */
@@ -1669,7 +1757,8 @@ static apr_status_t ssl_io_filter_coalesce(ap_filter_t *f,
ap_log_cerror(APLOG_MARK, APLOG_TRACE4, 0, f->c,
"coalesce: have %" APR_SIZE_T_FMT " bytes, "
- "adding %" APR_SIZE_T_FMT " more", ctx->bytes, bytes);
+ "adding %" APR_SIZE_T_FMT " more (buckets=%u)",
+ ctx->bytes, bytes, count);
/* Iterate through the prefix segment. For non-fatal errors
* in this loop it is safe to break out and fall back to the
@@ -1684,7 +1773,8 @@ static apr_status_t ssl_io_filter_coalesce(ap_filter_t *f,
if (APR_BUCKET_IS_METADATA(e)
|| e->length == (apr_size_t)-1) {
ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, f->c, APLOGNO(02012)
- "unexpected bucket type during coalesce");
+ "unexpected %s bucket during coalesce",
+ e->type->name);
break; /* non-fatal error; break out */
}

178
SOURCES/httpd-2.4.37-usertrack-samesite.patch Normal file
View File

@ -0,0 +1,178 @@
diff --git a/docs/manual/mod/mod_usertrack.html.en b/docs/manual/mod/mod_usertrack.html.en
index b212747..d2da9b9 100644
--- a/docs/manual/mod/mod_usertrack.html.en
+++ b/docs/manual/mod/mod_usertrack.html.en
@@ -47,7 +47,10 @@
<ul id="toc">
<li><img alt="" src="../images/down.gif" /> <a href="#cookiedomain">CookieDomain</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#cookieexpires">CookieExpires</a></li>
+<li><img alt="" src="../images/down.gif" /> <a href="#cookiehttponly">CookieHTTPOnly</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#cookiename">CookieName</a></li>
+<li><img alt="" src="../images/down.gif" /> <a href="#cookiesamesite">CookieSameSite</a></li>
+<li><img alt="" src="../images/down.gif" /> <a href="#cookiesecure">CookieSecure</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#cookiestyle">CookieStyle</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#cookietracking">CookieTracking</a></li>
</ul>
@@ -127,6 +130,22 @@ CustomLog "logs/clickstream.log" usertrack</pre>
<pre class="prettyprint lang-config">CookieExpires "3 weeks"</pre>
+</div>
+<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
+<div class="directive-section"><h2><a name="CookieHTTPOnly" id="CookieHTTPOnly">CookieHTTPOnly</a> <a name="cookiehttponly" id="cookiehttponly">Directive</a></h2>
+<table class="directive">
+<tbody><tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Adds the 'HTTPOnly' attribute to the cookie</td></tr>
+<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>CookieHTTPOnly on|off</code></td></tr>
+<tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>CookieHTTPOnly off</code></td></tr>
+<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host, directory, .htaccess</td></tr>
+<tr><th><a href="directive-dict.html#Override">Override:</a></th><td>FileInfo</td></tr>
+<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr>
+<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_usertrack</td></tr>
+</tbody></table>
+ <p>When set to 'ON', the 'HTTPOnly' cookie attribute is added to this
+ modules tracking cookie. This attribute instructs browsers to block javascript
+ from reading the value of the cookie.</p>
+
</div>
<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="directive-section"><h2><a name="CookieName" id="CookieName">CookieName</a> <a name="cookiename" id="cookiename">Directive</a></h2>
@@ -150,6 +169,45 @@ CustomLog "logs/clickstream.log" usertrack</pre>
<pre class="prettyprint lang-config">CookieName clicktrack</pre>
+</div>
+<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
+<div class="directive-section"><h2><a name="CookieSameSite" id="CookieSameSite">CookieSameSite</a> <a name="cookiesamesite" id="cookiesamesite">Directive</a></h2>
+<table class="directive">
+<tbody><tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Adds the 'SameSite' attribute to the cookie</td></tr>
+<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>CookieSameSite None|Lax|Strict</code></td></tr>
+<tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>unset</code></td></tr>
+<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host, directory, .htaccess</td></tr>
+<tr><th><a href="directive-dict.html#Override">Override:</a></th><td>FileInfo</td></tr>
+<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr>
+<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_usertrack</td></tr>
+</tbody></table>
+ <p>When set to 'None', 'Lax', or 'Strict', the 'SameSite' cookie attribute
+ is added to this modules tracking cookie with the corresponding value.
+ This attribute instructs browser on how to treat the cookie when it is
+ requested in a cross-site context.</p>
+
+ <div class="note">
+ <p>A value of 'None' sets 'SameSite=None', which is the most liberal setting. To
+ omit this attribute, omit the directive entirely.</p>
+ </div>
+
+
+</div>
+<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
+<div class="directive-section"><h2><a name="CookieSecure" id="CookieSecure">CookieSecure</a> <a name="cookiesecure" id="cookiesecure">Directive</a></h2>
+<table class="directive">
+<tbody><tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Adds the 'Secure' attribute to the cookie</td></tr>
+<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>CookieSecure on|off</code></td></tr>
+<tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>CookieSecure off</code></td></tr>
+<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host, directory, .htaccess</td></tr>
+<tr><th><a href="directive-dict.html#Override">Override:</a></th><td>FileInfo</td></tr>
+<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr>
+<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_usertrack</td></tr>
+</tbody></table>
+ <p>When set to 'ON', the 'Secure' cookie attribute is added to this
+ modules tracking cookie. This attribute instructs browsers to only
+ transmit the cookie over HTTPS.</p>
+
</div>
<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="directive-section"><h2><a name="CookieStyle" id="CookieStyle">CookieStyle</a> <a name="cookiestyle" id="cookiestyle">Directive</a></h2>
diff --git a/modules/metadata/mod_usertrack.c b/modules/metadata/mod_usertrack.c
index 73a9f45..65759c2 100644
--- a/modules/metadata/mod_usertrack.c
+++ b/modules/metadata/mod_usertrack.c
@@ -86,6 +86,9 @@ typedef struct {
const char *cookie_domain;
char *regexp_string; /* used to compile regexp; save for debugging */
ap_regex_t *regexp; /* used to find usertrack cookie in cookie header */
+ int is_secure;
+ int is_httponly;
+ const char *samesite;
} cookie_dir_rec;
/* Make Cookie: Now we have to generate something that is going to be
@@ -143,6 +146,21 @@ static void make_cookie(request_rec *r)
: ""),
NULL);
}
+ if (dcfg->samesite != NULL) {
+ new_cookie = apr_pstrcat(r->pool, new_cookie, "; ",
+ dcfg->samesite,
+ NULL);
+ }
+ if (dcfg->is_secure) {
+ new_cookie = apr_pstrcat(r->pool, new_cookie, "; Secure",
+ NULL);
+ }
+ if (dcfg->is_httponly) {
+ new_cookie = apr_pstrcat(r->pool, new_cookie, "; HttpOnly",
+ NULL);
+ }
+
+
apr_table_addn(r->err_headers_out,
(dcfg->style == CT_COOKIE2 ? "Set-Cookie2" : "Set-Cookie"),
@@ -269,6 +287,7 @@ static void *make_cookie_dir(apr_pool_t *p, char *d)
dcfg->cookie_domain = NULL;
dcfg->style = CT_UNSET;
dcfg->enabled = 0;
+ /* calloc'ed to disabled: samesite, is_secure, is_httponly */
/* In case the user does not use the CookieName directive,
* we need to compile the regexp for the default cookie name. */
@@ -429,6 +448,31 @@ static const char *set_cookie_style(cmd_parms *cmd, void *mconfig,
return NULL;
}
+/*
+ * SameSite enabled disabled
+ */
+
+static const char *set_samesite_value(cmd_parms *cmd, void *mconfig,
+ const char *name)
+{
+ cookie_dir_rec *dcfg;
+
+ dcfg = (cookie_dir_rec *) mconfig;
+
+ if (strcasecmp(name, "strict") == 0) {
+ dcfg->samesite = "SameSite=Strict";
+ } else if (strcasecmp(name, "lax") == 0) {
+ dcfg->samesite = "SameSite=Lax";
+ } else if (strcasecmp(name, "none") == 0) {
+ dcfg->samesite = "SameSite=None";
+ } else {
+ return "CookieSameSite accepts 'Strict', 'Lax', or 'None'";
+ }
+
+
+ return NULL;
+}
+
static const command_rec cookie_log_cmds[] = {
AP_INIT_TAKE1("CookieExpires", set_cookie_exp, NULL, OR_FILEINFO,
"an expiry date code"),
@@ -440,6 +484,17 @@ static const command_rec cookie_log_cmds[] = {
"whether or not to enable cookies"),
AP_INIT_TAKE1("CookieName", set_cookie_name, NULL, OR_FILEINFO,
"name of the tracking cookie"),
+ AP_INIT_FLAG("CookieTracking", set_cookie_enable, NULL, OR_FILEINFO,
+ "whether or not to enable cookies"),
+ AP_INIT_TAKE1("CookieSameSite", set_samesite_value, NULL, OR_FILEINFO,
+ "SameSite setting"),
+ AP_INIT_FLAG("CookieSecure", ap_set_flag_slot,
+ (void *)APR_OFFSETOF(cookie_dir_rec, is_secure), OR_FILEINFO,
+ "is cookie secure"),
+ AP_INIT_FLAG("CookieHttpOnly", ap_set_flag_slot,
+ (void *)APR_OFFSETOF(cookie_dir_rec, is_httponly),OR_FILEINFO,
+ "is cookie http only"),
+
{NULL}
};

259
SOURCES/httpd.conf.xml Normal file
View File

@ -0,0 +1,259 @@
<?xml version='1.0' encoding='utf-8'?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
]>
<!--
Copyright 2018 Red Hat, Inc.
Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed with
this work for additional information regarding copyright ownership.
The ASF licenses this file to You under the Apache License, Version 2.0
(the "License"); you may not use this file except in compliance with
the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
<refentry>
<refentryinfo>
<title>httpd.conf</title>
<productname>httpd</productname>
<author><contrib>Author</contrib><surname>Orton</surname><firstname>Joe</firstname><email>jorton@redhat.com</email></author>
</refentryinfo>
<refmeta>
<refentrytitle>httpd.conf</refentrytitle>
<manvolnum>5</manvolnum>
</refmeta>
<refnamediv>
<refname>httpd.conf</refname>
<refpurpose>Configuration files for httpd</refpurpose>
</refnamediv>
<refsynopsisdiv>
<para>
<filename>/etc/httpd/conf/httpd.conf</filename>,
<filename>/etc/httpd/conf.modules.d</filename>,
<filename>/etc/httpd/conf.d</filename>
</para>
</refsynopsisdiv>
<refsect1>
<title>Description</title>
<para>The main configuration file for the <command>httpd</command> daemon is
<filename>/etc/httpd/conf/httpd.conf</filename>. The syntax of
this file is described at <ulink
url="https://httpd.apache.org/docs/2.4/configuring.html"/>, and
the full set of available directives is listed at <ulink
url="https://httpd.apache.org/docs/2.4/mod/directives.html"/>.
</para>
<refsect2>
<title>Configuration structure</title>
<para>The main configuration file
(<filename>httpd.conf</filename>) sets up various defaults and
includes configuration files from two directories -
<filename>/etc/httpd/conf.modules.d</filename> and
<filename>/etc/httpd/conf.d</filename>. Packages containing
loadable modules (like <option>mod_ssl.so</option>) place files
in the <filename>conf.modules.d</filename> directory with the
appropriate <option>LoadModule</option> directive so that module
is loaded by default.</para>
<para>Some notable configured defaults are:.</para>
<variablelist>
<varlistentry>
<term><option>DocumentRoot @DOCROOT@/html</option></term>
<listitem><para>The default document root from which content
is served.</para></listitem>
</varlistentry>
<varlistentry>
<term><option>Listen 80</option></term>
<listitem><para>The daemon lists on TCP port 80.</para></listitem>
</varlistentry>
<varlistentry>
<term><option>ErrorLog "logs/error_log"</option></term>
<listitem><para>Error messages are logged to
<filename>@LOGDIR@/error_log</filename>.</para></listitem>
</varlistentry>
<varlistentry>
<term><option>ScriptAlias /cgi-bin/ "@DOCROOT@/cgi-bin/"</option></term>
<listitem><para>CGI scripts are served via the URL-path <option>/cgi-bin/</option>.</para></listitem>
</varlistentry>
</variablelist>
<para>To remove any of the default configuration provided in
separate files covered below, replace that file with an empty
file rather than removing it from the filesystem, otherwise it
may be restored to the original when the package which provides
it is upgraded.</para>
</refsect2>
<refsect2>
<title>MPM configuration</title>
<para>The configuration file at
<filename>/etc/httpd/conf.modules.d/00-mpm.conf</filename> is
used to select the multi-processing module (MPM), which governs
how <command>httpd</command> divides work between processes
and/or threads at run-time. Exactly one
<option>LoadModule</option> directive must be uncommented in
this file; by default the <option>@MPM@</option> MPM is enabled.
For more information on MPMs, see <ulink
url="https://httpd.apache.org/docs/2.4/mpm.html"/>.</para>
<para>If using the <emphasis>prefork</emphasis> MPM, the
"httpd_graceful_shutdown" SELinux boolean should also be
enabled, since with this MPM, httpd needs to establish TCP
connections to local ports to successfully complete a graceful
restart or shutdown. This boolean can be enabled by running the
command: <command>semanage boolean -m --on
httpd_graceful_shutdown</command></para>
</refsect2>
<refsect2>
<title>Module configuration files</title>
<para>Module configuration files are provided in the
<filename>/etc/httpd/conf.modules.d/</filename> directory. Filenames
in this directory are by convention prefixed with two digit numeric
prefix to ensure they are processed in the desired order. Core
modules provide with the <command>httpd</command> package are
loaded by files with a <option>0x-</option> prefix to ensure
these are loaded first. Only filenames with a
<option>.conf</option> suffix in this directory will be
processed.</para>
<para>Other provided configuration files are listed below.
<variablelist>
<varlistentry>
<term><filename>/etc/httpd/conf.modules.d/00-base.conf</filename></term>
<listitem><para>The set of core modules included with
<command>httpd</command> which are all loaded by
default.</para></listitem>
</varlistentry>
<varlistentry>
<term><filename>/etc/httpd/conf.modules.d/00-optional.conf</filename></term>
<listitem><para>The set of non-core modules included with
<command>httpd</command> which are <emphasis>not</emphasis>
loaded by default.</para></listitem>
</varlistentry>
<varlistentry>
<term><filename>/etc/httpd/conf.modules.d/00-systemd.conf</filename></term>
<listitem><para>This file loads <option>mod_systemd</option>
which is necessary for the correct operation of the
<command>httpd.service</command> service, and should not be
removed or disabled.</para></listitem>
</varlistentry>
</variablelist>
</para>
</refsect2>
<refsect2>
<title>Other configuration files</title>
<para>Default module configuration files and site-specific
configuration files are loaded from the
<filename>/etc/httpd/conf.d/</filename> directory. Only files
with a <option>.conf</option> suffix will be loaded. The
following files are provided:
<variablelist>
<varlistentry>
<term><filename>/etc/httpd/conf.d/userdir.conf</filename></term>
<listitem><para>This file gives an example configuration for
<option>mod_userdir</option> to map URLs such as
<option>http://localhost/~jim/</option> to
<filename>/home/jim/public_html/</filename>. Userdir mapping
is disabled by default.</para></listitem>
</varlistentry>
<varlistentry>
<term><filename>/etc/httpd/conf.d/autoindex.conf</filename></term>
<listitem><para>This file provides the default configuration
for <option>mod_autoindex</option> which generates HTML
directory listings when enabled. It also makes file icon
image files available at the <option>/icons/</option>
URL-path.</para></listitem>
</varlistentry>
<varlistentry>
<term><filename>/etc/httpd/conf.d/welcome.conf</filename></term>
<listitem><para>This file enables a "welcome page" at
<option>http://localhost/</option> if no content is present
in the default documentation root
<filename>/var/www/html</filename>.</para></listitem>
</varlistentry>
<varlistentry>
<term><filename>/etc/httpd/conf.d/ssl.conf</filename> (present only if <option>mod_ssl</option> is installed)</term>
<listitem><para>This file configures a TLS
<option>VirtualHost</option> listening on port
<option>443</option>. If the default configuration is used,
the referenced test certificate and private key are
generated the first time <command>httpd.service</command> is
started; see
<citerefentry><refentrytitle>httpd-init.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>
for more information.</para></listitem>
</varlistentry>
</variablelist></para>
</refsect2>
<refsect2>
<title>Instantiated services</title>
<para>As an alternative to (or in addition to) the
<command>httpd.service</command> unit, the instantiated template
service <command>httpd@.service</command> unit file can be used,
which starts <command>httpd</command> using a different
configuration file to the default. For example,
<command>systemctl start httpd@foobar.service</command> will
start httpd using the configuration file
<filename>/etc/httpd/conf/foobar.conf</filename>. See <citerefentry><refentrytitle>httpd@.service</refentrytitle><manvolnum>8</manvolnum></citerefentry> for more information.</para>
</refsect2>
</refsect1>
<refsect1>
<title>Files</title>
<para>
<filename>/etc/httpd/conf/httpd.conf</filename>,
<filename>/etc/httpd/conf.d</filename>,
<filename>/etc/httpd/conf.modules.d</filename>
</para>
</refsect1>
<refsect1>
<title>See also</title>
<para>
<citerefentry><refentrytitle>httpd</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
<citerefentry><refentrytitle>httpd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
<ulink url="https://httpd.apache.org/docs/2.4/configuring.html"/>,
<ulink url="https://httpd.apache.org/docs/2.4/mod/directives.html"/>
</para>
</refsect1>
</refentry>
<!-- LocalWords: systemd PidFile
-->

332
SOURCES/httpd.service.xml Normal file
View File

@ -0,0 +1,332 @@
<?xml version='1.0' encoding='utf-8'?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
]>
<!--
Copyright 2018 Red Hat, Inc.
Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed with
this work for additional information regarding copyright ownership.
The ASF licenses this file to You under the Apache License, Version 2.0
(the "License"); you may not use this file except in compliance with
the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
<refentry>
<refentryinfo>
<title>httpd systemd units</title>
<productname>httpd</productname>
<author><contrib>Author</contrib><surname>Orton</surname><firstname>Joe</firstname><email>jorton@redhat.com</email></author>
</refentryinfo>
<refmeta>
<refentrytitle>httpd.service</refentrytitle>
<manvolnum>8</manvolnum>
</refmeta>
<refnamediv>
<refname>httpd.service</refname>
<refname>httpd@.service</refname>
<refname>httpd.socket</refname>
<refname>httpd-init.service</refname>
<refpurpose>httpd unit files for systemd</refpurpose>
</refnamediv>
<refsynopsisdiv>
<para>
<filename>/usr/lib/systemd/system/httpd.service</filename>,
<filename>/usr/lib/systemd/system/httpd@.service</filename>,
<filename>/usr/lib/systemd/system/httpd-init.service</filename>,
<filename>/usr/lib/systemd/system/httpd.socket</filename>
</para>
</refsynopsisdiv>
<refsect1>
<title>Description</title>
<para>This manual page describes the <command>systemd</command>
unit files used to integrate the <command>httpd</command> daemon
with <command>systemd</command>. Two main unit files are
available: <command>httpd.service</command> allows the
<command>httpd</command> daemon to be run as a system service, and
<command>httpd.socket</command> allows httpd to be started via
socket-based activation. Most systems will use
<command>httpd.service</command>.</para>
<para>The <command>apachectl</command> command has been modified
to invoke <command>systemctl</command> for most uses, so for
example, running <command>apachectl start</command> is equivalent
to running <command>systemctl start httpd.service</command>. This
ensures that the running httpd daemon is tracked and managed by
<command>systemd</command>. In contrast, running
<command>httpd</command> directly from a root shell will start the
service outside of <command>systemd</command>; in this case,
default security restrictions described below (including, but not
limited to, SELinux) will not be enforced.</para>
<refsect2>
<title>Changing default behaviour</title>
<para>To change the default behaviour of the httpd service, an
<emphasis>over-ride</emphasis> file should be created, rather
than changing
<filename>/usr/lib/systemd/system/httpd.service</filename>
directly, since such changes would be lost over package
upgrades. Running <command>systemctl edit
httpd.service</command> or <command>systemctl edit
httpd.socket</command> as root will create a drop-in file (in
the former case, in
<filename>/etc/systemd/system/httpd.service.d</filename>) which
over-rides the system defaults.</para>
<para>For example, to set the <option>LD_LIBRARY_PATH</option>
environment variable for the daemon, run <command>systemctl edit
httpd.service</command> and enter:
<programlisting>[Service]
Environment=LD_LIBRARY_PATH=/opt/vendor/lib</programlisting></para>
</refsect2>
<refsect2>
<title>Starting the service at boot time</title>
<para>The httpd.service and httpd.socket units are
<emphasis>disabled</emphasis> by default. To start the httpd
service at boot time, run: <command>systemctl enable
httpd.service</command>. In the default configuration, the
httpd daemon will accept connections on port 80 (and, if mod_ssl
is installed, TLS connections on port 443) for any configured
IPv4 or IPv6 address.</para>
<para>If httpd is configured to depend on any specific IP
address (for example, with a "Listen" directive) which may only
become available during start-up, or if httpd depends on other
services (such as a database daemon), the service
<emphasis>must</emphasis> be configured to ensure correct
start-up ordering.</para>
<para>For example, to ensure httpd is only running after all
configured network interfaces are configured, create a drop-in
file (as described above) with the following section:
<programlisting>[Unit]
After=network-online.target
Wants=network-online.target</programlisting>
See <ulink
url="https://www.freedesktop.org/wiki/Software/systemd/NetworkTarget/"/>
for more information on start-up ordering with systemd.</para>
</refsect2>
<refsect2>
<title>SSL/TLS certificate generation</title>
<para>The <command>httpd-init.service</command> unit is provided
with the mod_ssl package. This oneshot unit automatically
creates a TLS server certificate and key (using a generated
self-signed CA certificate and key) for testing purposes before
httpd is started. To inhibit certificate generation, use
<command>systemctl mask httpd-init.service</command> after
installing mod_ssl, and adjust the mod_ssl configuration to use
an appropriate certificate and key.</para>
</refsect2>
<refsect2>
<title>Reloading and stopping the service</title>
<para>When running <command>systemctl reload
httpd.service</command>, a <emphasis>graceful</emphasis>
restart is used, which sends a signal to the httpd parent
process to reload the configuration and re-open log files. Any
children with open connections at the time of reload will
terminate only once they have completed serving requests. This
prevents users of the server seeing errors (or potentially
losing data) due to the reload, but means some there is some
delay before any configuration changes take effect for all
users.</para>
<para>Similarly, a <emphasis>graceful stop</emphasis> is used
when <command>systemctl stop httpd.service</command> is run,
which terminates the server only once active connections have
been processed.</para>
<para>To "ungracefully" stop the server without waiting for
requests to complete, use <command>systemctl kill
--kill-who=main httpd</command>; similarly to "ungracefully"
reload the configuration, use <command>systemctl kill
--kill-who=main --signal=HUP httpd</command>.</para>
</refsect2>
<refsect2>
<title>Automated service restarts</title>
<para>System packages (including the httpd package itself) may
restart the httpd service automatically after packages are
upgraded, installed, or removed. This is done using the
<command>systemctl reload httpd.service</command>, which
produces a <emphasis>graceful</emphasis> restart by default as
described above.</para>
<para>To suppress automatic reloads entirely, create the file
<filename>/etc/sysconfig/httpd-disable-posttrans</filename>.</para>
</refsect2>
<refsect2>
<title>Changing the default MPM (Multi-Processing Module)</title>
<para>httpd offers a choice of multi-processing modules (MPMs),
which can be configured in
<filename>/etc/httpd/conf.modules.d/00-mpm.conf</filename>.
See
<citerefentry><refentrytitle>httpd.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>
for more information on changing the MPM.</para>
</refsect2>
<refsect2>
<title>systemd integration and mod_systemd</title>
<para>The httpd service uses the <option>notify</option> systemd
service type. The <literal>mod_systemd</literal> module must be
loaded (as in the default configuration) for this to work
correctly - the service will fail if this module is not
loaded. <literal>mod_systemd</literal> also makes worker and
request statistics available when running <command>systemctl status
httpd</command>. See
<citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>
for more information on systemd service types.</para>
</refsect2>
<refsect2>
<title>Security and SELinux</title>
<para>The default SELinux policy restricts the httpd service in
various ways. For example, the default policy limits the ports
to which httpd can bind (using the <literal>Listen</literal>
directive), which parts of the filesystem can be accessed, and
whether outgoing TCP connections are possible. Many of these
restrictions can be relaxed or adjusted by using
<command>semanage</command> to change booleans or other
types. See
<citerefentry><refentrytitle>httpd_selinux</refentrytitle><manvolnum>8</manvolnum></citerefentry>
for more information.</para>
<para>The httpd service enables <emphasis>PrivateTmp</emphasis>
by default. The <filename>/tmp</filename> and
<filename>/var/tmp</filename> directories available within the
httpd process (and CGI scripts, etc) are not shared by other
processes. See
<citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>
for more information.</para>
</refsect2>
<refsect2>
<title>Socket activation</title>
<para>Socket activation (see
<citerefentry><refentrytitle>systemd.socket</refentrytitle><manvolnum>5</manvolnum></citerefentry>
for more information) can be used with <command>httpd</command>
by enabling the <command>httpd.socket</command> unit. The
<command>httpd</command> listener configuration must exactly
match the <literal>ListenStream</literal> options configured for
the <command>httpd.socket</command> unit. The default
<command>httpd.socket</command> has a
<literal>ListenStream=80</literal> and, if mod_ssl is installed,
<literal>ListenStream=443</literal> by a drop-in file. If
additional <literal>Listen</literal> directives are added to the
httpd configuration, corresponding
<literal>ListenStream</literal> options should be added via
drop-in files, for example via <command>systemctl edit
httpd.socket</command>.</para>
<para>If using socket activation with httpd, only one listener
on any given TCP port is supported; a configuration with both
"<literal>Listen 127.0.0.1:80</literal>" and "<literal>Listen
192.168.1.2:80</literal>" will not work.</para>
</refsect2>
<refsect2>
<title>Instantiated services</title>
<para>The <command>httpd@.service</command> unit is an
instantiated template service. An instance of this unit will be
started using the configuration file
<filename>/etc/httpd/conf/INSTANCE.conf</filename>, where
<emphasis>INSTANCE</emphasis> is replaced with the instance
name. For example, <command>systemctl start
httpd@foobar.service</command> will start httpd using the
configuration file
<filename>/etc/httpd/conf/foobar.conf</filename>. The
<option>HTTPD_INSTANCE</option> environment variable is set to
the instance name by the unit and is available for use within
the configuration file.</para>
<para>To allow multiple instances of httpd to run
simultaneously, a number of configuration directives must be
changed, such as <command>PidFile</command> and
<command>DefaultRuntimeDir</command> to pick non-conflicting
paths, and <command>Listen</command> to choose different ports.
The example configuration file
<filename>/usr/share/doc/httpd/instance.conf</filename>
demonstrates how to make such changes using
<option>HTTPD_INSTANCE</option> variable.</para>
<para>It can be useful to configure instances of
<command>httpd@.service</command> to reload when
<command>httpd.service</command> is reloaded; for example,
<command>logrotate</command> will reload only
<command>httpd.service</command> when logs are rotated. If this
behaviour is required, create a drop-in file for the instance as
follows:
<programlisting>[Unit]
ReloadPropagatedFrom=httpd.service</programlisting>
As with normal units, drop-in files for instances can be created
using <command>systemctl edit</command>, e.g. <command>systemctl edit
httpd@foobar.service</command>.</para>
</refsect2>
</refsect1>
<refsect1>
<title>Files</title>
<para><filename>/usr/lib/systemd/system/httpd.service</filename>,
<filename>/usr/lib/systemd/system/httpd.socket</filename>,
<filename>/usr/lib/systemd/system/httpd@.service</filename>,
<filename>/etc/systemd/systemd/httpd.service.d</filename></para>
</refsect1>
<refsect1>
<title>See also</title>
<para>
<citerefentry><refentrytitle>httpd</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
<citerefentry><refentrytitle>httpd.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
<citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
<citerefentry><refentrytitle>systemctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
<citerefentry><refentrytitle>systemd.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
<citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
<citerefentry><refentrytitle>systemd.socket</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
<citerefentry><refentrytitle>httpd_selinux</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
<citerefentry><refentrytitle>semanage</refentrytitle><manvolnum>8</manvolnum></citerefentry>
</para>
</refsect1>
</refentry>
<!-- LocalWords: systemd PidFile
-->

2
SOURCES/welcome.conf
View File

@ -16,4 +16,4 @@
</Directory>
Alias /.noindex.html /usr/share/httpd/noindex/index.html
Alias /poweredby.png /usr/share/httpd/icons/apache_pb2.png
Alias /poweredby.png /usr/share/httpd/icons/apache_pb3.png

41
SPECS/httpd.spec
View File

@ -13,7 +13,7 @@
Summary: Apache HTTP Server
Name: httpd
Version: 2.4.37
Release: 39%{?dist}
Release: 41%{?dist}
URL: https://httpd.apache.org/
Source0: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2
Source2: httpd.logrotate
@ -54,6 +54,7 @@ Source42: httpd-init.service
Source43: httpd-ssl-gencerts
Source44: httpd@.service
Source45: config.layout
Source46: apache-poweredby.png
# build/scripts patches
# http://bugzilla.redhat.com/show_bug.cgi?id=1231924
@ -101,6 +102,8 @@ Patch38: httpd-2.4.37-pr37355.patch
Patch39: httpd-2.4.37-proxy-ws-idle-timeout.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=1883648
Patch40: httpd-2.4.37-ssl-proxy-chains.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=1935742
Patch41: httpd-2.4.37-usertrack-samesite.patch
# Bug fixes
# https://bugzilla.redhat.com/show_bug.cgi?id=1397243
@ -150,6 +153,12 @@ Patch83: httpd-2.4.37-r1878890.patch
Patch84: httpd-2.4.37-r1878280.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=1891594
Patch85: httpd-2.4.37-htcacheclean-dont-break.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=1937334
Patch86: httpd-2.4.37-r1873907.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=1680111
Patch87: httpd-2.4.37-reply-two-tls-rec.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=1905613
Patch88: httpd-2.4.37-r1845768+.patch
# Security fixes
Patch200: httpd-2.4.37-r1851471.patch
@ -179,6 +188,10 @@ Patch209: httpd-2.4.37-CVE-2020-1934.patch
Patch210: httpd-2.4.37-CVE-2018-17199.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=1866563
Patch211: httpd-2.4.37-CVE-2020-11984.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=1972500
Patch212: httpd-2.4.37-CVE-2021-30641.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=1968307
Patch213: httpd-2.4.37-CVE-2021-26690.patch
License: ASL 2.0
Group: System Environment/Daemons
@ -188,7 +201,8 @@ BuildRequires: zlib-devel, libselinux-devel, lua-devel, brotli-devel
BuildRequires: apr-devel >= 1.5.0, apr-util-devel >= 1.5.0, pcre-devel >= 5.0
BuildRequires: systemd-devel
# web server testpage added to redhat-logos in 82.0 (rhbz1896319)
Requires: /etc/mime.types, system-logos-httpd >= 82.0
# new logo requires new footer copyring which was added in rhbz1934800
Requires: /etc/mime.types, system-logos(httpd-logo-ng)
Obsoletes: httpd-suexec
Provides: webserver
Provides: mod_dav = %{version}-%{release}, httpd-suexec = %{version}-%{release}
@ -328,6 +342,7 @@ interface for storing and accessing per-user session data.
%patch38 -p1 -b .pr37355
%patch39 -p1 -b .proxy-ws-idle-timeout
%patch40 -p1 -b .ssl-proxy-chains
%patch41 -p1 -b .usertrack-samesite
%patch61 -p1 -b .r1738878
%patch62 -p1 -b .r1633085
@ -352,6 +367,9 @@ interface for storing and accessing per-user session data.
%patch83 -p1 -b .r1878890
%patch84 -p1 -b .r1878280
%patch85 -p1 -b .htcacheclean-dont-break
%patch86 -p1 -b .r1873907
%patch87 -p1 -b .reply-two-tls-rec
%patch88 -p1 -b .r1845768+
%patch200 -p1 -b .r1851471
%patch201 -p1 -b .CVE-2019-0211
@ -365,6 +383,8 @@ interface for storing and accessing per-user session data.
%patch209 -p1 -b .CVE-2020-1934
%patch210 -p1 -b .CVE-2018-17199
%patch211 -p1 -b .CVE-2020-11984
%patch212 -p1 -b .CVE-2021-30641
%patch213 -p1 -b .CVE-2021-26690
# Patch in the vendor string
sed -i '/^#define PLATFORM/s/Unix/%{vstring}/' os/unix/os.h
@ -391,6 +411,9 @@ if test "x${vmmn}" != "x%{mmn}"; then
exit 1
fi
# A new logo which comes together with a new test page
cp %{SOURCE46} ./docs/icons/apache_pb3.png
# Provide default layout
cp $RPM_SOURCE_DIR/config.layout .
@ -867,6 +890,20 @@ rm -rf $RPM_BUILD_ROOT
%{_rpmconfigdir}/macros.d/macros.httpd
%changelog
* Fri Jul 09 2021 Luboš Uhliarik <luhliari@redhat.com> - 2.4.37-41
- Resolves: #1680111 - httpd sends reply to HTTPS GET using two TLS records
- Resolves: #1905613 - mod_ssl does not like valid certificate chain
- Resolves: #1935742 - [RFE] backport samesite/httponly/secure flags for
usertrack
- Resolves: #1972500 - CVE-2021-30641 httpd:2.4/httpd: MergeSlashes regression
- Resolves: #1968307 - CVE-2021-26690 httpd:2.4/httpd: mod_session NULL pointer
dereference in parser
- Resolves: #1934741 - Apache trademark update - new logo
* Fri May 14 2021 Lubos Uhliarik <luhliari@redhat.com> - 2.4.37-40
- Resolves: #1952557 - mod_proxy_wstunnel.html is a malformed XML
- Resolves: #1937334 - SSLProtocol with based virtual hosts
* Tue Jan 26 2021 Artem Egorenkov <aegorenk@redhat.com> - 2.4.37-39
- prevent htcacheclean from while break when first file processed