Re: client_socket bogosity...

[Bill Stoddard]

> The create_connection hook has a fatal design flaw. create_conn is run before
> ap_update_vhost_given_ip(), which means that it is impossible to install input and
output
> filters based on vhost info.
>
More concisely, it is now impossible to install filters in place of CORE_IN and 
CORE_OUT
based on vhost config.

Bill

Re: client_socket bogosity...

[Ian Holsman]

Bill Stoddard wrote:
> The create_connection hook has a fatal design flaw. create_conn is run before
> ap_update_vhost_given_ip(), which means that it is impossible to install input and 
>output
> filters based on vhost info.
> 
> I want to install SSL_IN and SSL_OUT filters if the request is coming in to a 
>vhost/port
> enabled for SSL and that can't be done with the create_connection hook.
> 
> Bill
> 

On that point.
I don't think there is any way of inserting a proxy specifc filter 
either, as their is now way for the hook to know what kind of request
is the connection is for.

> 
>>>One Nov. 12, Ryan committed a patch creating the create_conn hook. The
>>>idea was to move
>>>the client_socket out of the conn_rec presumably to make available
>>>
>>only to
>>
>>>the core_in and
>>>core_out filters.  However, I just found a backdoor...
>>>
>>>In core_create_conn() the socket is saved away thusly:
>>>ap_set_module_config(net->c->conn_config, &core_module, csd);
>>>
>>>And whoever needs to access the socket does this:
>>>apr_socket_t *csd = ap_get_module_config(f->c->conn_config,
>>>
>>&core_module);
>>
>>That hack was added because the proxy does the completely wrong thing
>>with regard to handing sockets.  In order to finish the Nov. 12 patch, I
>>need to rip a lot of logic out of the proxy and re-implement, which I
>>haven't had time to do recently.  The only other module that should use
>>the get_module_config hack is the perchild module, which is also doing
>>to completely wrong thing with regard to sockets, but I haven't had time
>>to fix that one either.
>>
>>
>>
>>>So the goal of hiding the socket is completely blown.  The Nov. 11
>>>
>>change
>>
>>>added a lot of
>>>complexity to the server (hard to read/understand code) in pursuit of
>>>
>>a
>>
>>>goal that is then
>>>immediately circumvented by the ap_get|set_module_config. So we made
>>>
>>the
>>
>>>server more
>>>complex for no reason.
>>>
>>It actually isn't blown.  Try writing a module that implements a non TCP
>>socket, and it will work as long as you don't use the proxy or the
>>perchild module.  As proof, look at the fact that the Unix MPMs have
>>been using that mechanism to handle the pipe_of_death.  This allowed me
>>to remove the ugly hacks at the beginning of the accept loop, which
>>checked for the POD.
>>
>>Also, a big portion of the Nov 12 patch was to consolidate the accept
>>functions for Unix and BeOS, which has meant far less duplicated code in
>>the server.
>>
>>
>>>I am on the verge of vetoing the Nov. 12 patch in favor of moving the
>>>client_socket back
>>>into the con_rec.
>>>
>>>Comments?
>>>
>>Please don't let two mis-behaved modules color your judgment on this.
>>Both proxy and perchild must be re-written if they are going to be
>>clean, and once that is done the stupid set_module_config can be
>>removed.  In fact, the server ran for over a day without the
>>set_module_config, but that broke the proxy, so I added the hack to
>>allow the proxy to continue to work, while I worked to solve the
>>underlying problem.  Unfortunately, work and some extracurricular
>>activities have stopped me from contributing much code recently.
>>Hopefully, I will have time to code again soon.
>>
>>Ryan
>>
>>
>>
> 
> 

Re: client_socket bogosity...

[Bill Stoddard]

The create_connection hook has a fatal design flaw. create_conn is run before
ap_update_vhost_given_ip(), which means that it is impossible to install input and 
output
filters based on vhost info.

I want to install SSL_IN and SSL_OUT filters if the request is coming in to a 
vhost/port
enabled for SSL and that can't be done with the create_connection hook.

Bill

> > One Nov. 12, Ryan committed a patch creating the create_conn hook. The
> > idea was to move
> > the client_socket out of the conn_rec presumably to make available
> only to
> > the core_in and
> > core_out filters.  However, I just found a backdoor...
> >
> > In core_create_conn() the socket is saved away thusly:
> > ap_set_module_config(net->c->conn_config, &core_module, csd);
> >
> > And whoever needs to access the socket does this:
> > apr_socket_t *csd = ap_get_module_config(f->c->conn_config,
> &core_module);
>
> That hack was added because the proxy does the completely wrong thing
> with regard to handing sockets.  In order to finish the Nov. 12 patch, I
> need to rip a lot of logic out of the proxy and re-implement, which I
> haven't had time to do recently.  The only other module that should use
> the get_module_config hack is the perchild module, which is also doing
> to completely wrong thing with regard to sockets, but I haven't had time
> to fix that one either.
>
>
> > So the goal of hiding the socket is completely blown.  The Nov. 11
> change
> > added a lot of
> > complexity to the server (hard to read/understand code) in pursuit of
> a
> > goal that is then
> > immediately circumvented by the ap_get|set_module_config. So we made
> the
> > server more
> > complex for no reason.
>
> It actually isn't blown.  Try writing a module that implements a non TCP
> socket, and it will work as long as you don't use the proxy or the
> perchild module.  As proof, look at the fact that the Unix MPMs have
> been using that mechanism to handle the pipe_of_death.  This allowed me
> to remove the ugly hacks at the beginning of the accept loop, which
> checked for the POD.
>
> Also, a big portion of the Nov 12 patch was to consolidate the accept
> functions for Unix and BeOS, which has meant far less duplicated code in
> the server.
>
> > I am on the verge of vetoing the Nov. 12 patch in favor of moving the
> > client_socket back
> > into the con_rec.
> >
> > Comments?
>
> Please don't let two mis-behaved modules color your judgment on this.
> Both proxy and perchild must be re-written if they are going to be
> clean, and once that is done the stupid set_module_config can be
> removed.  In fact, the server ran for over a day without the
> set_module_config, but that broke the proxy, so I added the hack to
> allow the proxy to continue to work, while I worked to solve the
> underlying problem.  Unfortunately, work and some extracurricular
> activities have stopped me from contributing much code recently.
> Hopefully, I will have time to code again soon.
>
> Ryan
>
>

RE: client_socket bogosity...

[Ryan Bloom]

> On Fri, Jan 25, 2002 at 02:01:26PM -0800, Ryan Bloom wrote:
> > > > Please don't let two mis-behaved modules color your judgment on
> > this.
> > > > Both proxy and perchild must be re-written if they are going to
be
> > > > clean, and once that is done the stupid set_module_config can be
> > > > removed.  In fact, the server ran for over a day without the
> > > > set_module_config, but that broke the proxy, so I added the hack
to
> > > > allow the proxy to continue to work, while I worked to solve the
> > > > underlying problem.
> > >
> > > mmm... I'd be interested to know what the solution is for
> > > net_time_filter since it is using the ap_get_module_config
> > > hack also.
> >
> > The real solution is to pass the core_net_rec structure to the
NET_TIME
> > filter as user-data for the filter, the same way we do for CORE_IN
and
> > CORE_OUT.
> 
> You're kidding, right? The core_net_rec is private to the core. You
can't
> just start passing that around the server. That just breaks the
> abstraction
> that you've worked so hard to implement.
> 
> No... something else needs to be figured out [for the
net_time_filter].

But the net_time_filter is implemented by the core.  If we really want
to abstract this more, we can create a function that, given a conn_rec
can set a timeout on the socket.  I think I see how that can be done.
Or, we can actually create a net_module, that has a spot in the
c->conf_vector that is the net_rec.  That module can implement the logic
to set a timeout on a connection.  Which is really what we want, to be
able to set a timeout on a connection, not on a socket.

Ryan

RE: client_socket bogosity...

[Ryan Bloom]

> 
> > The real solution is to pass the core_net_rec structure to the
NET_TIME
> > filter as user-data for the filter, the same way we do for CORE_IN
and
> > CORE_OUT.
> 
> But you'll have to play some sort of trick to do that since the
> NET_TIME filter is added from the create_request hook which does
> not know about core_net_rec, only core_create_conn knows about that.
> I suppose some core specific magic could be played but that would
> prevent any other module from running it's own net_time hook.

This is why I didn't do this originally, but it wouldn't be hard to add.
As long as it's just the core that knows about the core_net_rec, we are
okay.  I just ran out of time while doing the implementation.

Ryan

Re: client_socket bogosity...

[Greg Stein]

On Fri, Jan 25, 2002 at 02:01:26PM -0800, Ryan Bloom wrote:
> > > Please don't let two mis-behaved modules color your judgment on
> this.
> > > Both proxy and perchild must be re-written if they are going to be
> > > clean, and once that is done the stupid set_module_config can be
> > > removed.  In fact, the server ran for over a day without the
> > > set_module_config, but that broke the proxy, so I added the hack to
> > > allow the proxy to continue to work, while I worked to solve the
> > > underlying problem.
> > 
> > mmm... I'd be interested to know what the solution is for
> > net_time_filter since it is using the ap_get_module_config
> > hack also.
> 
> The real solution is to pass the core_net_rec structure to the NET_TIME
> filter as user-data for the filter, the same way we do for CORE_IN and
> CORE_OUT.

You're kidding, right? The core_net_rec is private to the core. You can't
just start passing that around the server. That just breaks the abstraction
that you've worked so hard to implement.

No... something else needs to be figured out [for the net_time_filter].

Cheers,
-g

-- 
Greg Stein, http://www.lyra.org/

Re: Apache-1.3: ftp proxy woes

[Chuck Murcko]

Fantastic. FTP proxy has been funky for some time now (but was working 
if hobbling in 1.3.23 drop). When I do connect in the BillR way that 
might wrap up the thing mostly.

Chuck

On Friday, January 25, 2002, at 11:33 AM, Martin Kraemer wrote:

> I am currently working on modifying the FTP proxy. Several things
> do not work correctly:
>
> * the proxy goes into "TYPE I" pretty quickly. However, binary transfers
>   are inappropriate for directory listings, especially when you connect
>   to an EBCDIC machine :-O
>   IMO, "TYPE I" should be sent directly before trying RETR, and should
>   be set back to "TYPE A" again when RETR failed and we are getting a
>   LISTing instead. See RFC959.
>   Also, the suffix ";type=[aid]" could be extended to allow for 
> ";type=e"
>   for forced EBCDIC transfer ;-)  Not that I know a client which uses 
> it.
>
> * The code path thru the proxy_ftp_handler is rather convoluted. My 
> rewrite
>   funnels each return() thru a common function which cleans up, closing
>   BUFFs or sockets where needed. The current code has MANY returns which
>   do not clean up properly. This led to my Apache server running out of
>   children after a while (because each child kept an open FTP connection
>   to the ftp server). "Apachectl restart" saved the day ;-)
>
> * the so called "%2F" hack, which would allow a user of the proxy to
>   selectively start with either her home dir (ftp://user@host/) or
>   with the root dir of the system (by using ftp://user@host/%2f/)
>   is implemented in squid. Wouldn't it be nice to have it in our proxy
>   too?
>
> * Speaking of %2f: Apache's verification checks for path components
>   are not executed for the ftp proxy, it uses its own url encoding
>   and decoding, and many security checks are missing there. You can
>   go get ftp://user@host/%2fetc%2fpasswd or even
>   ftp://user@host/%2fetc%2fdefaults%2f%2e%2e%2fgroup
>   without any complaints by the proxy.
>

CVS code on 1/25/02 | problem: segfault on startup

[David Ford]

This is my first foray into apache 2.0 land so I'm not familiar with things.

I built glibc 2.2.5 and apache broke.  I rebuilt apache and it still 
broke :)

(gdb) bt
#0  apr_palloc (pool=0x813e720, size=24) at apr_pools.c:438
#1  0x4003524f in apr_array_make (p=0x813e720, nelts=30, elt_size=20) at 
apr_tables.c:120
#2  0x08070e66 in parse_log_string (p=0x813e720, s=0x80c84e5 "%h %l %u 
%t \"%r\" %>s %b", err=0xb4a8)
at mod_log_config.c:712
#3  0x08071738 in open_multi_logs (s=0x80fd0e0, p=0x813e720) at 
mod_log_config.c:1097
#4  0x0807176a in init_config_log (pc=0x80f6600, p=0x813e720, 
pt=0x8140728, s=0x80fd0e0) at mod_log_config.c:1174
#5  0x080aa5bf in ap_run_open_logs (pconf=0x80f6600, plog=0x813e720, 
ptemp=0x8140728, s=0x80fd0e0) at config.c:179
#6  0x080ae580 in main (argc=1, argv=0xb5d4) at main.c:446

(gdb) up
#1  0x4003524f in apr_array_make (p=0x813e720, nelts=30, elt_size=20) at 
apr_tables.c:120
120 res = (apr_array_header_t *) apr_palloc(p, 
sizeof(apr_array_header_t));
(gdb) l
115 APR_DECLARE(apr_array_header_t *) apr_array_make(apr_pool_t *p,
116 int nelts, int 
elt_size)
117 {
118 apr_array_header_t *res;
119
120 res = (apr_array_header_t *) apr_palloc(p, 
sizeof(apr_array_header_t));
121 make_array_core(res, p, nelts, elt_size, 1);
122 return res;
123 }
124

(gdb) p p
$4 = (apr_pool_t *) 0x813e720
(gdb) p *p
$5 = {parent = 0x80f45f8, child = 0x0, sibling = 0x813e848, ref = 0x5, 
cleanups = 0x813e7f0, subprocesses = 0x0, abort_fn = 0,
  user_data = 0x0, tag = 0x0, allocator = 0x2, active = 0x, self 
= 0x813e710,
  self_first_avail = 0x813e758 "/usr/local/apache2/logs/error_log"}

Any suggestions?

David

RE: client_socket bogosity...

[Allan Edwards]

> prevent any other module from running it's own net_time hook.

I meant net_time filter...

RE: client_socket bogosity...

[Allan Edwards]

> The real solution is to pass the core_net_rec structure to the NET_TIME
> filter as user-data for the filter, the same way we do for CORE_IN and
> CORE_OUT.

But you'll have to play some sort of trick to do that since the
NET_TIME filter is added from the create_request hook which does
not know about core_net_rec, only core_create_conn knows about that.
I suppose some core specific magic could be played but that would 
prevent any other module from running it's own net_time hook.

Allan  

RE: client_socket bogosity...

[Ryan Bloom]

> > Please don't let two mis-behaved modules color your judgment on
this.
> > Both proxy and perchild must be re-written if they are going to be
> > clean, and once that is done the stupid set_module_config can be
> > removed.  In fact, the server ran for over a day without the
> > set_module_config, but that broke the proxy, so I added the hack to
> > allow the proxy to continue to work, while I worked to solve the
> > underlying problem.
> 
> mmm... I'd be interested to know what the solution is for
> net_time_filter since it is using the ap_get_module_config
> hack also.

The real solution is to pass the core_net_rec structure to the NET_TIME
filter as user-data for the filter, the same way we do for CORE_IN and
CORE_OUT.

Ryan

RE: client_socket bogosity...

[Allan Edwards]

> Please don't let two mis-behaved modules color your judgment on this.
> Both proxy and perchild must be re-written if they are going to be
> clean, and once that is done the stupid set_module_config can be
> removed.  In fact, the server ran for over a day without the
> set_module_config, but that broke the proxy, so I added the hack to
> allow the proxy to continue to work, while I worked to solve the
> underlying problem.  

mmm... I'd be interested to know what the solution is for 
net_time_filter since it is using the ap_get_module_config 
hack also.

Allan

Re: Tagging .31 soon

[Greg Ames]

"William A. Rowe, Jr." wrote:

> > > I don't remember seeing a fix for the recursive subrequest loops involving
> > > mod_negotiation.  Did I miss it?
> 
> Ok... this is the last priority issue I've put on my own plate prior to
> another beta release.  The other three issues seem closed.
> 
> I'll fight on tommorow.  Hoping you are around, Greg, if I come up with
> any experimental solutions to try.

yep...I'm here.  My guess is that we can recreate this at will with .30 and the
right URLs.  I'm going to update my log replay input files to include the URLs
from the 4 coredumps, plus something like
http://www.apache.org/index/bogus_dir/bogus_file which has caused problems
before.  

Greg

Re: mod_negotiation/dir subrequest problem [was: Tagging .31 soon]

[Greg Ames]

"William A. Rowe, Jr." wrote:

> 
> > * it looks like we might be triggering some 1.3 negotiation behavior, where any
> > extention under the sun is a match.  We use MultiviewsMatch Handlers, so .asis
> > and .cgi extentions do not need to be specified in the URI.
> 
> Of course.  This is as-desired, no?

ooops, I wasn't clear.  We want extensions specified by AddLanguage to match,
and (since I code MultiviewsMatch Handlers) extentions specified by AddHandler. 
I think that's all the extensions we want to match implicitly.

But looking at that backtrace, it looks like mod_negotiation might be thinking
that .1, .3, etc are interesting extensions, which is what 1.3 would do, and
therefore thinking that v3.1 from URI might match v3.1.1 it found by reading the
builds/jakarta-tomcat/release/ directory.

Greg

Re: [Apache-1.3]: URL-Escaping

[Martin Kraemer]

On Fri, Jan 25, 2002 at 05:38:50PM +0100, Kraemer, Martin wrote:
> 
> Or am I wrong? If I am right, then either a new T_ class must be defined in
> gen_test_char, or

Uh. I *AM* wrong.  T_OS_ESCAPE_PATH should cause a '%' to be escaped.
I must have been blind when I tried it.

   Martin
-- 
<[EMAIL PROTECTED]> | Fujitsu Siemens
Fon: +49-89-636-46021, FAX: +49-89-636-47655 | 81730  Munich,  Germany

Re: [Apache-1.3]: URL-Escaping

[Martin Kraemer]

Sorry for all this so shortly after 1.3.23's announcement. But really,
this all has hit me only yesterday, so I could not complain earlier.
And when rewriting proxy_ftp, a certain stabilizing period would
be good (no need rushing out a fix for a release in 3 days).

   Martin
-- 
<[EMAIL PROTECTED]> | Fujitsu Siemens
Fon: +49-89-636-46021, FAX: +49-89-636-47655 | 81730  Munich,  Germany

[Apache-1.3]: URL-Escaping

[Martin Kraemer]

Hi again,

ap_os_escape_path() and its wrapper macro ap_escape_uri() fail to
escape a literal '%' in a path. I may be wrong, but IMHO a directory
called %dir should be url-encoded as:
  %dir

Or am I wrong? If I am right, then either a new T_ class must be defined in
gen_test_char, or
while ((c = *s)) {
if (TEST_CHAR(c, T_OS_ESCAPE_PATH)) {
d = c2x(c, d);
}
else {
*d++ = c;
}
should be using
if (c == '%' || TEST_CHAR(c, T_OS_ESCAPE_PATH)) {
instead.

Protocol gurus? Anyone?

   Martin
-- 
<[EMAIL PROTECTED]> | Fujitsu Siemens
Fon: +49-89-636-46021, FAX: +49-89-636-47655 | 81730  Munich,  Germany

Apache-1.3: ftp proxy woes

[Martin Kraemer]

I am currently working on modifying the FTP proxy. Several things
do not work correctly:

* the proxy goes into "TYPE I" pretty quickly. However, binary transfers
  are inappropriate for directory listings, especially when you connect
  to an EBCDIC machine :-O
  IMO, "TYPE I" should be sent directly before trying RETR, and should
  be set back to "TYPE A" again when RETR failed and we are getting a
  LISTing instead. See RFC959.
  Also, the suffix ";type=[aid]" could be extended to allow for ";type=e"
  for forced EBCDIC transfer ;-)  Not that I know a client which uses it.

* The code path thru the proxy_ftp_handler is rather convoluted. My rewrite
  funnels each return() thru a common function which cleans up, closing
  BUFFs or sockets where needed. The current code has MANY returns which
  do not clean up properly. This led to my Apache server running out of
  children after a while (because each child kept an open FTP connection
  to the ftp server). "Apachectl restart" saved the day ;-)

* the so called "%2F" hack, which would allow a user of the proxy to
  selectively start with either her home dir (ftp://user@host/) or
  with the root dir of the system (by using ftp://user@host/%2f/)
  is implemented in squid. Wouldn't it be nice to have it in our proxy
  too?

* Speaking of %2f: Apache's verification checks for path components
  are not executed for the ftp proxy, it uses its own url encoding
  and decoding, and many security checks are missing there. You can
  go get ftp://user@host/%2fetc%2fpasswd or even
  ftp://user@host/%2fetc%2fdefaults%2f%2e%2e%2fgroup
  without any complaints by the proxy.

   Martin
-- 
<[EMAIL PROTECTED]> | Fujitsu Siemens
Fon: +49-89-636-46021, FAX: +49-89-636-47655 | 81730  Munich,  Germany

[Apache-1.3]: Why is ScriptLog context only "server config"?

[Martin Kraemer]

Was there a reasoning behind the fact that the ScriptLog* directives
can only be set in the global scope? I cannot, for instance, say:

  Alias /cgi-bin /usr/local/apache/cgi-bin
  Alias /cgi-dbg /usr/local/apache/cgi-bin

  
ScriptLog /tmp/cgi-dbg.log
...

to enable debugging only for certain requests, and not for the 99% others.
Or think of  and .

   Martin
-- 
<[EMAIL PROTECTED]> | Fujitsu Siemens
Fon: +49-89-636-46021, FAX: +49-89-636-47655 | 81730  Munich,  Germany

Apache-1.3.23: [warn] module is already added, skipping

[Martin Kraemer]

Hi everyone,

Since changing to 1.3.23, I observe the following warnings
in the error log:

[Fri Jan 25 15:29:47 2002] [warn] module mod_dir.c is already added, skipping
[Fri Jan 25 15:29:47 2002] [warn] module mod_cgi.c is already added, skipping
[Fri Jan 25 15:29:47 2002] [warn] module mod_asis.c is already added, skipping

In my config file, I use

--httpd.conf--
  ...
  # Read the list of loadable modules from the configuration file dso.conf
  Include conf/dso.conf
  ...
--httpd.conf--

which includes an automatically generated dso.conf (by an AWK
script which reorders LoadModule and AddModule so that
maintenance becomes much easier -- you can easily comment
or uncomment an optional module):

--dso.conf--
ClearModuleList

# Built-in so Module:  (this module must be added first!)
AddModule mod_so.c

# MicrosoftFree Friday
#LoadModule msff_module libexec/mod_msff.so
#AddModule mod_msff.c

# Dynamically loaded mmap_static Module:
LoadModule mmap_static_module libexec/mod_mmap_static.so
AddModule mod_mmap_static.c

# Dynamically loaded vhost_alias Module:
LoadModule vhost_alias_module libexec/mod_vhost_alias.so
AddModule mod_vhost_alias.c

...etc...
--dso.conf--


None of these directives is present more than once (only empty
lines and empty comments occur more than once):
--sh--
% sort dso.conf | uniq -d

#
--sh--

Actually, I can also inline these shuffled module lines, and I get
the same warnings.

IMHO the "double check" code is coded incorrectly.

  Martin
-- 
<[EMAIL PROTECTED]> | Fujitsu Siemens
Fon: +49-89-636-46021, FAX: +49-89-636-47655 | 81730  Munich,  Germany

RE: client_socket bogosity...

[Ryan Bloom]

> One Nov. 12, Ryan committed a patch creating the create_conn hook. The
> idea was to move
> the client_socket out of the conn_rec presumably to make available
only to
> the core_in and
> core_out filters.  However, I just found a backdoor...
> 
> In core_create_conn() the socket is saved away thusly:
> ap_set_module_config(net->c->conn_config, &core_module, csd);
> 
> And whoever needs to access the socket does this:
> apr_socket_t *csd = ap_get_module_config(f->c->conn_config,
&core_module);

That hack was added because the proxy does the completely wrong thing
with regard to handing sockets.  In order to finish the Nov. 12 patch, I
need to rip a lot of logic out of the proxy and re-implement, which I
haven't had time to do recently.  The only other module that should use
the get_module_config hack is the perchild module, which is also doing
to completely wrong thing with regard to sockets, but I haven't had time
to fix that one either.


> So the goal of hiding the socket is completely blown.  The Nov. 11
change
> added a lot of
> complexity to the server (hard to read/understand code) in pursuit of
a
> goal that is then
> immediately circumvented by the ap_get|set_module_config. So we made
the
> server more
> complex for no reason.

It actually isn't blown.  Try writing a module that implements a non TCP
socket, and it will work as long as you don't use the proxy or the
perchild module.  As proof, look at the fact that the Unix MPMs have
been using that mechanism to handle the pipe_of_death.  This allowed me
to remove the ugly hacks at the beginning of the accept loop, which
checked for the POD.

Also, a big portion of the Nov 12 patch was to consolidate the accept
functions for Unix and BeOS, which has meant far less duplicated code in
the server.

> I am on the verge of vetoing the Nov. 12 patch in favor of moving the
> client_socket back
> into the con_rec.
> 
> Comments?

Please don't let two mis-behaved modules color your judgment on this.
Both proxy and perchild must be re-written if they are going to be
clean, and once that is done the stupid set_module_config can be
removed.  In fact, the server ran for over a day without the
set_module_config, but that broke the proxy, so I added the hack to
allow the proxy to continue to work, while I worked to solve the
underlying problem.  Unfortunately, work and some extracurricular
activities have stopped me from contributing much code recently.
Hopefully, I will have time to code again soon.

Ryan

client_socket bogosity...

[Bill Stoddard]

One Nov. 12, Ryan committed a patch creating the create_conn hook. The idea was to move
the client_socket out of the conn_rec presumably to make available only to the core_in 
and
core_out filters.  However, I just found a backdoor...

In core_create_conn() the socket is saved away thusly:
ap_set_module_config(net->c->conn_config, &core_module, csd);

And whoever needs to access the socket does this:
apr_socket_t *csd = ap_get_module_config(f->c->conn_config, &core_module);

So the goal of hiding the socket is completely blown.  The Nov. 11 change added a lot 
of
complexity to the server (hard to read/understand code) in pursuit of a goal that is 
then
immediately circumvented by the ap_get|set_module_config. So we made the server more
complex for no reason.

I am on the verge of vetoing the Nov. 12 patch in favor of moving the client_socket 
back
into the con_rec.

Comments?

Bill

Any way to return an error on the create_conn hook?

[Bill Stoddard]

I have a module that implements a create_conn hook that can detect error conditions
requiring the HTTP request to be failed.  If I return NULL from the create_conn hook 
in my
failure case, the default core hook gets run which is NOT what I want to happen. I'd 
like
to be able to return something like -1 to tell the hook code that the request failed 
and
to not attempt to run other create_conn hooks.

Thoughts?

Bill

Re: Apache2 mod_auth_ldap

[Graham Leggett]

Günter Knauf wrote:

> can someone please explain how I can create apr_ldap.h on Win32 and
> what additional defines are needed in the project in order to build mod_auth_ldap?

I am not sure how to do this on win32, however you need to include
--with-ldap to switch on LDAP support in APR-util, then you need to
enable two modules: mod_ldap and mod_auth_ldap. If you only enable
mod_auth_ldap it won't work.

Regards,
Graham
-- 
-
[EMAIL PROTECTED]"There's a moon
over Bourbon Street
tonight..."


smime.p7s
Description: S/MIME Cryptographic Signature