Resolves: RHEL-53632 - RFE: httpd, add IP_FREEBIND support for Listen
Resolves: RHEL-53722 - [RFE] ProxyWebsocketIdleTimeout from httpd mod_proxy_wstunnel
This commit is contained in:
		
							parent
							
								
									239a3e0f11
								
							
						
					
					
						commit
						a7f0464790
					
				
							
								
								
									
										124
									
								
								httpd-2.4.62-freebind.patch
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										124
									
								
								httpd-2.4.62-freebind.patch
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,124 @@ | ||||
| diff --git a/docs/manual/mod/mpm_common.html.en b/docs/manual/mod/mpm_common.html.en
 | ||||
| index d7a2fea..c911a4e 100644
 | ||||
| --- a/docs/manual/mod/mpm_common.html.en
 | ||||
| +++ b/docs/manual/mod/mpm_common.html.en
 | ||||
| @@ -42,6 +42,7 @@ more than one multi-processing module (MPM)</td></tr>
 | ||||
|  <li><img alt="" src="../images/down.gif" /> <a href="#enableexceptionhook">EnableExceptionHook</a></li> | ||||
|  <li><img alt="" src="../images/down.gif" /> <a href="#gracefulshutdowntimeout">GracefulShutdownTimeout</a></li> | ||||
|  <li><img alt="" src="../images/down.gif" /> <a href="#listen">Listen</a></li> | ||||
| +<li><img alt="" src="../images/down.gif" /> <a href="#listenfree">ListenFree</a></li>
 | ||||
|  <li><img alt="" src="../images/down.gif" /> <a href="#listenbacklog">ListenBackLog</a></li> | ||||
|  <li><img alt="" src="../images/down.gif" /> <a href="#listencoresbucketsratio">ListenCoresBucketsRatio</a></li> | ||||
|  <li><img alt="" src="../images/down.gif" /> <a href="#maxconnectionsperchild">MaxConnectionsPerChild</a></li> | ||||
| @@ -244,6 +245,31 @@ discussion of the <code>Address already in use</code> error message,
 | ||||
|  including other causes.</a></li> | ||||
|  </ul> | ||||
|  </div> | ||||
| +
 | ||||
| +<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
 | ||||
| +<div class="directive-section"><h2><a name="ListenFree" id="ListenFree">ListenFree</a> <a name="listenfree" id="listenfree">Directive</a></h2>
 | ||||
| +<table class="directive">
 | ||||
| +<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>IP addresses and ports that the server
 | ||||
| +listens to. Doesn't require IP address to be up</td></tr>
 | ||||
| +<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>ListenFree [<var>IP-address</var>:]<var>portnumber</var> [<var>protocol</var>]</code></td></tr>
 | ||||
| +<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config</td></tr>
 | ||||
| +<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>MPM</td></tr>
 | ||||
| +<tr><th><a href="directive-dict.html#Module">Module:</a></th><td><code class="module"><a href="../mod/event.html">event</a></code>, <code class="module"><a href="../mod/worker.html">worker</a></code>, <code class="module"><a href="../mod/prefork.html">prefork</a></code>, <code class="module"><a href="../mod/mpm_winnt.html">mpm_winnt</a></code>, <code class="module"><a href="../mod/mpm_netware.html">mpm_netware</a></code>, <code class="module"><a href="../mod/mpmt_os2.html">mpmt_os2</a></code></td></tr>
 | ||||
| +<tr><th><a href="directive-dict.html#Compatibility">Compatibility:</a></th><td>This directive is currently available only in Red Hat Enterprise Linux</td></tr>
 | ||||
| +</table>
 | ||||
| +    <p>The <code class="directive">ListenFree</code> directive is
 | ||||
| +    identical to the <code class="directive">Listen</code> directive. 
 | ||||
| +    The only difference is in the usage of the IP_FREEBIND socket 
 | ||||
| +    option, which is enabled by default with <code class="directive">ListenFree</code>. 
 | ||||
| +    If IP_FREEBIND is enabled, it allows httpd to bind to an IP
 | ||||
| +    address that is nonlocal or does not (yet) exist. This allows httpd to 
 | ||||
| +    listen on a socket without requiring the underlying network interface
 | ||||
| +    or the specified dynamic IP address to be up at the time when httpd
 | ||||
| +    is trying to bind to it.
 | ||||
| +    </p>
 | ||||
| +</div>
 | ||||
| +
 | ||||
| +
 | ||||
|  <div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div> | ||||
|  <div class="directive-section"><h2><a name="ListenBackLog" id="ListenBackLog">ListenBackLog</a> <a name="listenbacklog" id="listenbacklog">Directive</a></h2> | ||||
|  <table class="directive"> | ||||
| diff --git a/include/ap_listen.h b/include/ap_listen.h
 | ||||
| index d5ed968..be1a60c 100644
 | ||||
| --- a/include/ap_listen.h
 | ||||
| +++ b/include/ap_listen.h
 | ||||
| @@ -138,6 +138,9 @@ AP_DECLARE_NONSTD(const char *) ap_set_listenbacklog(cmd_parms *cmd, void *dummy
 | ||||
|  AP_DECLARE_NONSTD(const char *) ap_set_listencbratio(cmd_parms *cmd, void *dummy, const char *arg); | ||||
|  AP_DECLARE_NONSTD(const char *) ap_set_listener(cmd_parms *cmd, void *dummy, | ||||
|                                                  int argc, char *const argv[]); | ||||
| +AP_DECLARE_NONSTD(const char *) ap_set_freelistener(cmd_parms *cmd, void *dummy,
 | ||||
| +                                                    int argc, char *const argv[]);
 | ||||
| +
 | ||||
|  AP_DECLARE_NONSTD(const char *) ap_set_send_buffer_size(cmd_parms *cmd, void *dummy, | ||||
|                                                          const char *arg); | ||||
|  AP_DECLARE_NONSTD(const char *) ap_set_receive_buffer_size(cmd_parms *cmd, | ||||
| @@ -160,6 +163,8 @@ AP_INIT_TAKE1("ListenCoresBucketsRatio", ap_set_listencbratio, NULL, RSRC_CONF,
 | ||||
|    "Ratio between the number of CPU cores (online) and the number of listeners buckets"), \ | ||||
|  AP_INIT_TAKE_ARGV("Listen", ap_set_listener, NULL, RSRC_CONF, \ | ||||
|    "A port number or a numeric IP address and a port number, and an optional protocol"), \ | ||||
| +AP_INIT_TAKE_ARGV("ListenFree", ap_set_freelistener, NULL, RSRC_CONF, \
 | ||||
| +  "A port number or a numeric IP address and a port number, and an optional protocol"), \
 | ||||
|  AP_INIT_TAKE1("SendBufferSize", ap_set_send_buffer_size, NULL, RSRC_CONF, \ | ||||
|    "Send buffer size in bytes"), \ | ||||
|  AP_INIT_TAKE1("ReceiveBufferSize", ap_set_receive_buffer_size, NULL, \ | ||||
| diff --git a/server/listen.c b/server/listen.c
 | ||||
| index 2a4e87a..280bbe7 100644
 | ||||
| --- a/server/listen.c
 | ||||
| +++ b/server/listen.c
 | ||||
| @@ -60,6 +60,7 @@ static int ap_listenbacklog;
 | ||||
|  static int ap_listencbratio; | ||||
|  static int send_buffer_size; | ||||
|  static int receive_buffer_size; | ||||
| +static int ap_listenfreebind;
 | ||||
|  #ifdef HAVE_SYSTEMD | ||||
|  static int use_systemd = -1; | ||||
|  #endif | ||||
| @@ -159,6 +160,21 @@ static apr_status_t make_sock(apr_pool_t *p, ap_listen_rec *server, int do_bind_
 | ||||
|      } | ||||
|  #endif | ||||
|   | ||||
| +
 | ||||
| +#if defined(APR_SO_FREEBIND)
 | ||||
| +    if (ap_listenfreebind) {
 | ||||
| +        if (apr_socket_opt_set(s, APR_SO_FREEBIND, one) < 0) {
 | ||||
| +            stat = apr_get_netos_error();
 | ||||
| +            ap_log_perror(APLOG_MARK, APLOG_CRIT, stat, p, APLOGNO(02182)
 | ||||
| +                          "make_sock: apr_socket_opt_set: "
 | ||||
| +                          "error setting APR_SO_FREEBIND");
 | ||||
| +            apr_socket_close(s);
 | ||||
| +            return stat;
 | ||||
| +       }
 | ||||
| +   }
 | ||||
| +#endif
 | ||||
| +
 | ||||
| +
 | ||||
|      if (do_bind_listen) { | ||||
|  #if APR_HAVE_IPV6 | ||||
|          if (server->bind_addr->family == APR_INET6) { | ||||
| @@ -971,6 +987,7 @@ AP_DECLARE(void) ap_listen_pre_config(void)
 | ||||
|      } | ||||
|  } | ||||
|   | ||||
| +
 | ||||
|  AP_DECLARE_NONSTD(const char *) ap_set_listener(cmd_parms *cmd, void *dummy, | ||||
|                                                  int argc, char *const argv[]) | ||||
|  { | ||||
| @@ -1044,6 +1061,14 @@ AP_DECLARE_NONSTD(const char *) ap_set_listener(cmd_parms *cmd, void *dummy,
 | ||||
|                            scope_id, NULL, cmd->temp_pool); | ||||
|  } | ||||
|   | ||||
| +AP_DECLARE_NONSTD(const char *) ap_set_freelistener(cmd_parms *cmd, void *dummy,
 | ||||
| +                                                    int argc,
 | ||||
| +                                                    char *const argv[])
 | ||||
| +{
 | ||||
| +    ap_listenfreebind = 1;
 | ||||
| +    return ap_set_listener(cmd, dummy, argc, argv);
 | ||||
| +}
 | ||||
| +
 | ||||
|  AP_DECLARE_NONSTD(const char *) ap_set_listenbacklog(cmd_parms *cmd, | ||||
|                                                       void *dummy, | ||||
|                                                       const char *arg) | ||||
							
								
								
									
										109
									
								
								httpd-2.4.62-proxy-ws-idle-timeout.patch
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										109
									
								
								httpd-2.4.62-proxy-ws-idle-timeout.patch
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,109 @@ | ||||
| diff --git a/docs/manual/mod/mod_proxy_wstunnel.html.en b/docs/manual/mod/mod_proxy_wstunnel.html.en
 | ||||
| index c5004b8..a0ae3c8 100644
 | ||||
| --- a/docs/manual/mod/mod_proxy_wstunnel.html.en
 | ||||
| +++ b/docs/manual/mod/mod_proxy_wstunnel.html.en
 | ||||
| @@ -96,6 +96,7 @@ WebSocket always happens.
 | ||||
|  <div id="quickview"><a href="https://www.apache.org/foundation/contributing.html" class="badge"><img src="https://www.apache.org/images/SupportApache-small.png" alt="Support Apache!" /></a><h3 class="directives">Directives</h3> | ||||
|  <ul id="toc"> | ||||
|  <li><img alt="" src="../images/down.gif" /> <a href="#proxywebsocketfallbacktoproxyhttp">ProxyWebsocketFallbackToProxyHttp</a></li> | ||||
| +<li><img alt="" src="../images/down.gif" /> <a href="#proxywebsocketidletimeout">ProxyWebsocketIdleTimeout</a></li>
 | ||||
|  </ul> | ||||
|  <h3>Bugfix checklist</h3><ul class="seealso"><li><a href="https://www.apache.org/dist/httpd/CHANGES_2.4">httpd changelog</a></li><li><a href="https://bz.apache.org/bugzilla/buglist.cgi?bug_status=__open__&list_id=144532&product=Apache%20httpd-2&query_format=specific&order=changeddate%20DESC%2Cpriority%2Cbug_severity&component=mod_proxy_wstunnel">Known issues</a></li><li><a href="https://bz.apache.org/bugzilla/enter_bug.cgi?product=Apache%20httpd-2&component=mod_proxy_wstunnel">Report a bug</a></li></ul><h3>See also</h3> | ||||
|  <ul class="seealso"> | ||||
| @@ -121,6 +122,23 @@ WebSocket always happens.
 | ||||
|      WebSocket requests as in httpd 2.4.46 and earlier.</p> | ||||
|   | ||||
|  </div> | ||||
| +
 | ||||
| +<div class="directive-section"><h2><a name="ProxyWebsocketIdleTimeout" id="ProxyWebsocketIdleTimeout">ProxyWebsocketIdleTimeout</a> <a name="proxywebsocketidletimeout" id="proxywebsocketidletimeout">Directive</a> <a title="Permanent link" href="#proxywebsocketidletimeout" class="permalink">¶</a></h2>
 | ||||
| +<table class="directive">
 | ||||
| +<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Sets the maximum amount of time to wait for data on the websockets tunnel</td></tr>
 | ||||
| +<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>ProxyWebsocketIdleTimeout <var>num</var>[ms]</code></td></tr>
 | ||||
| +<tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>ProxyWebsocketIdleTimeout 0</code></td></tr>
 | ||||
| +<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host</td></tr>
 | ||||
| +<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr>
 | ||||
| +<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_proxy_wstunnel</td></tr>
 | ||||
| +</table>
 | ||||
| +    <p>This directive imposes a maximum amount of time for the tunnel to be
 | ||||
| +    left open while idle. The timeout is considered in seconds by default, but
 | ||||
| +    it is possible to increase the time resolution to milliseconds
 | ||||
| +    adding the <em>ms</em> suffix.</p>
 | ||||
| +
 | ||||
| +</div>
 | ||||
| +
 | ||||
|  </div> | ||||
|  <div class="bottomlang"> | ||||
|  <p><span>Available Languages: </span><a href="../en/mod/mod_proxy_wstunnel.html" title="English"> en </a> | | ||||
| diff --git a/modules/proxy/mod_proxy_wstunnel.c b/modules/proxy/mod_proxy_wstunnel.c
 | ||||
| index 30ba1b4..e27e6f8 100644
 | ||||
| --- a/modules/proxy/mod_proxy_wstunnel.c
 | ||||
| +++ b/modules/proxy/mod_proxy_wstunnel.c
 | ||||
| @@ -22,6 +22,7 @@ module AP_MODULE_DECLARE_DATA proxy_wstunnel_module;
 | ||||
|  typedef struct { | ||||
|      unsigned int fallback_to_proxy_http     :1, | ||||
|                   fallback_to_proxy_http_set :1; | ||||
| +    apr_time_t idle_timeout;
 | ||||
|  } proxyws_dir_conf; | ||||
|   | ||||
|  static int can_fallback_to_proxy_http; | ||||
| @@ -176,6 +177,8 @@ static int proxy_wstunnel_request(apr_pool_t *p, request_rec *r,
 | ||||
|      conn_rec *c = r->connection; | ||||
|      apr_socket_t *sock = conn->sock; | ||||
|      conn_rec *backconn = conn->connection; | ||||
| +    proxyws_dir_conf *dconf = ap_get_module_config(r->per_dir_config,
 | ||||
| +                                                   &proxy_wstunnel_module);
 | ||||
|      char *buf; | ||||
|      apr_bucket_brigade *header_brigade; | ||||
|      apr_bucket *e; | ||||
| @@ -253,10 +256,13 @@ static int proxy_wstunnel_request(apr_pool_t *p, request_rec *r,
 | ||||
|      c->keepalive = AP_CONN_CLOSE; | ||||
|   | ||||
|      do { /* Loop until done (one side closes the connection, or an error) */ | ||||
| -        rv = apr_pollset_poll(pollset, -1, &pollcnt, &signalled);
 | ||||
| +        rv = apr_pollset_poll(pollset, dconf->idle_timeout, &pollcnt, &signalled);
 | ||||
|          if (rv != APR_SUCCESS) { | ||||
|              if (APR_STATUS_IS_EINTR(rv)) { | ||||
|                  continue; | ||||
| +            } else if(APR_STATUS_IS_TIMEUP(rv)){
 | ||||
| +               ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r, "RH: the connection has timed out");
 | ||||
| +               return HTTP_REQUEST_TIME_OUT;
 | ||||
|              } | ||||
|              ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r, APLOGNO(02444) "error apr_poll()"); | ||||
|              return HTTP_INTERNAL_SERVER_ERROR; | ||||
| @@ -442,11 +448,26 @@ cleanup:
 | ||||
|      return status; | ||||
|  } | ||||
|   | ||||
| +static const char * proxyws_set_idle(cmd_parms *cmd, void *conf, const char *val)
 | ||||
| +{
 | ||||
| +    proxyws_dir_conf *dconf = conf;
 | ||||
| +    if (ap_timeout_parameter_parse(val, &(dconf->idle_timeout), "s") != APR_SUCCESS)
 | ||||
| +        return "ProxyWebsocketIdleTimeout timeout has wrong format";
 | ||||
| +
 | ||||
| +    if (dconf->idle_timeout < 0)
 | ||||
| +        return "ProxyWebsocketIdleTimeout timeout has to be a non-negative number";
 | ||||
| +
 | ||||
| +    if (!dconf->idle_timeout) dconf->idle_timeout = -1; /* loop indefinitely */
 | ||||
| +
 | ||||
| +    return NULL;
 | ||||
| +}
 | ||||
| +
 | ||||
|  static void *create_proxyws_dir_config(apr_pool_t *p, char *dummy) | ||||
|  { | ||||
|      proxyws_dir_conf *new = | ||||
|          (proxyws_dir_conf *) apr_pcalloc(p, sizeof(proxyws_dir_conf)); | ||||
|   | ||||
| +    new->idle_timeout = -1; /* no timeout */
 | ||||
|      new->fallback_to_proxy_http = 1; | ||||
|   | ||||
|      return (void *) new; | ||||
| @@ -489,7 +510,8 @@ static const command_rec ws_proxy_cmds[] =
 | ||||
|                   proxyws_fallback_to_proxy_http, NULL, RSRC_CONF|ACCESS_CONF, | ||||
|                   "whether to let mod_proxy_http handle the upgrade and tunneling, " | ||||
|                   "On by default"), | ||||
| -
 | ||||
| +    AP_INIT_TAKE1("ProxyWebsocketIdleTimeout", proxyws_set_idle, NULL, RSRC_CONF|ACCESS_CONF,
 | ||||
| +                 "timeout for activity in either direction, unlimited by default."),
 | ||||
|      {NULL} | ||||
|  }; | ||||
|   | ||||
							
								
								
									
										11
									
								
								httpd.spec
									
									
									
									
									
								
							
							
						
						
									
										11
									
								
								httpd.spec
									
									
									
									
									
								
							| @ -25,7 +25,7 @@ | ||||
| Summary: Apache HTTP Server | ||||
| Name: httpd | ||||
| Version: 2.4.62 | ||||
| Release: 2%{?dist} | ||||
| Release: 3%{?dist} | ||||
| URL: https://httpd.apache.org/ | ||||
| Source0: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2 | ||||
| Source1: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2.asc | ||||
| @ -96,6 +96,10 @@ Patch30: httpd-2.4.43-logjournal.patch | ||||
| Patch31: httpd-2.4.53-separate-systemd-fns.patch | ||||
| Patch32: httpd-2.4.58-r1912477+.patch | ||||
| Patch33: httpd-2.4.54-selinux.patch | ||||
| # https://bugzilla.redhat.com/show_bug.cgi?id=1949606 | ||||
| Patch34: httpd-2.4.62-freebind.patch | ||||
| # https://bugzilla.redhat.com/show_bug.cgi?id=1947496 | ||||
| Patch35: httpd-2.4.62-proxy-ws-idle-timeout.patch | ||||
| 
 | ||||
| # Bug fixes | ||||
| # https://bugzilla.redhat.com/show_bug.cgi?id=1397243 | ||||
| @ -827,6 +831,11 @@ exit $rv | ||||
| %{_rpmconfigdir}/macros.d/macros.httpd | ||||
| 
 | ||||
| %changelog | ||||
| * Thu Aug 08 2024 Luboš Uhliarik <luhliari@redhat.com> - 2.4.62-3 | ||||
| - Resolves: RHEL-53632 - RFE: httpd, add IP_FREEBIND support for Listen | ||||
| - Resolves: RHEL-53722 - [RFE] ProxyWebsocketIdleTimeout from | ||||
|   httpd mod_proxy_wstunnel | ||||
| 
 | ||||
| * Sat Aug 03 2024 Luboš Uhliarik <luhliari@redhat.com> - 2.4.62-2 | ||||
| - Resolves: RHEL-52722 - Regression introduced by CVE-2024-38474 fix | ||||
| 
 | ||||
|  | ||||
		Loading…
	
		Reference in New Issue
	
	Block a user