RE: [PATCH 55315] mod_proxy interpolation code broken by regression to APR-util 1.5.2

2013-10-09 Thread Plüm , Rüdiger , Vodafone Group 
My bad.

Needs to be

RewriteRule ^/my_app/(.*) %{ENV:protocol}://1.2.3.4/my_app/$1 [P]

Regards

Rüdiger

From: Mike Rumph
Sent: Dienstag, 8. Oktober 2013 22:17
To: dev@httpd.apache.org
Subject: Re: [PATCH 55315] mod_proxy interpolation code broken by regression to 
APR-util 1.5.2

Sorry.

I got carried away with the generic translation.

I was instead browsing to http://localhost:8080/my_app/

With the results indicated below.

Thanks,

Mike Rumph

On 10/8/2013 1:09 PM, Mike Rumph wrote:
I tried the configuration below with httpd trunk:



 RewriteEngine On



 RewriteCond %{HTTPS} =off

 RewriteRule . - [E=protocol:http]

 RewriteCond %{HTTPS} =on

 RewriteRule . - [E=protocol:https]



 RewriteRule ^/my_app/(.*) %{protocol}://1.2.3.4/my_app/$1 [P]

 ProxyPassReverse /my_app/ http://1.2.3.4/my_app/

 ProxyPassReverse /my_app/ https://1.2.3.4/my_app/
Then browsing to http://1.2.3.4/my_app/ gives me the following result:

Not Found

The requested URL /://1.2.3.4/my_app/ was not found on this server.

Any other suggestions?

Thanks,

Mike
On 9/17/2013 9:32 AM, Jim Jagielski wrote:

+1



On Sep 17, 2013, at 11:32 AM, Jeff Trawick 
traw...@gmail.commailto:traw...@gmail.com wrote:



On Tue, Sep 17, 2013 at 11:30 AM, Plüm, Rüdiger, Vodafone Group 
ruediger.pl...@vodafone.commailto:ruediger.pl...@vodafone.com wrote:

IMHO yes. But I am a mod_rewrite fan anyway :-).



not really a rewrite fan, but I think that's better than code



so IMO we should doc that interpolation isn't supported in the scheme, and 
instead a solution like that should be used







Regards



Rüdiger



-Original Message-

From: Jim Jagielski [mailto:j...@jagunet.com]

Sent: Dienstag, 17. September 2013 17:26

To: dev@httpd.apache.orgmailto:dev@httpd.apache.org

Subject: Re: [PATCH 55315] mod_proxy interpolation code broken by

regression to APR-util 1.5.2



Doesn't that completely avoid/ignore the issue in the 1st place?



On Sep 17, 2013, at 11:08 AM, Plüm, Rüdiger, Vodafone Group

ruediger.pl...@vodafone.commailto:ruediger.pl...@vodafone.com wrote:



How about



 RewriteEngine On



 RewriteCond %{HTTPS} =off

 RewriteRule . - [E=protocol:http]

 RewriteCond %{HTTPS} =on

 RewriteRule . - [E=protocol:https]



 RewriteRule ^/my_app/(.*) %{protocol}://1.2.3.4/my_app/$1 [P]

 ProxyPassReverse /my_app/ http://1.2.3.4/my_app/

 ProxyPassReverse /my_app/ https://1.2.3.4/my_app/



?



Regards



Rüdiger



From: Jeff Trawick [mailto:traw...@gmail.com]

Sent: Dienstag, 17. September 2013 15:24

To: Apache HTTP Server Development List

Subject: Re: [PATCH 55315] mod_proxy interpolation code broken by

regression to APR-util 1.5.2

On Wed, Sep 4, 2013 at 5:12 PM, Mike Rumph 
mike.ru...@oracle.commailto:mike.ru...@oracle.com

wrote:

Hello Jeff,



Thanks for your reply.





On 9/3/2013 6:58 AM, Jeff Trawick wrote:



Since the URL validation in apr_uri_parse() has been tightened in the

handling of the scheme portion of a URL,

I submitted a patch to httpd bug 55315 against the mod_proxy code in

httpd trunk to handle the special case

of interpolating a variable in the scheme portion of a URL.



- https://issues.apache.org/bugzilla/show_bug.cgi?id=55315





Do you know if it is practical to have the one magic path down to

ap_proxy_define_worker() munge the URI?  I guess the problem is that

ap_proxy_define_worker() saves the parsed uri, and the caller (add_pass

or whatever it is) doesn't have access to that?

I take your point to be that the mod_proxy patch I submitted cannot be

applied to the branches, since it changes the API.

So I've submitted a new patch that is applied further up the stack in

add_pass() in mod_proxy.c.

That patch

(https://issues.apache.org/bugzilla/attachment.cgi?id=30799) is the one

I'm considering, as it is the one that could solve the issue for 2.2.x

(with a minor tweak) and 2.4.x (as-is), and I don't think the function

API issue is the major concern.  Instead, carrying the interpolation

expression around in the worker scheme field separate from an

interpolation flag seems to be the overriding issue.

Dynamic determination of the scheme seems very useful and I don't know

of another way to implement the same requirement, which is well

illustrated by the now-broken config in the bug:

 ProxyPassInterpolateEnv On

 RewriteEngine On



 RewriteCond %{HTTPS} =off

 RewriteRule . - [E=protocol:http]

 RewriteCond %{HTTPS} =on

 RewriteRule . - [E=protocol:https]



 ProxyPass /my_app/ ${protocol}://1.2.3.4/my_app/ interpolate

 ProxyPassReverse /my_app/ ${protocol}://1.2.3.4/my_app/

interpolate

Any alternate ideas for configuring something like that?



Otherwise, any objections to patch 30799 (URL above)?









It is interesting that my research seems to indicate that mod_proxy

interpolation was actually the first to be introduced into the code.

I guess the order is this:



1. support

Re: svn commit: r1516930 - in /httpd/httpd/trunk: docs/manual/mod/mod_proxy.xml modules/proxy/mod_proxy.c modules/proxy/mod_proxy.h modules/proxy/mod_proxy_ajp.c modules/proxy/mod_proxy_http.c modules

2013-10-09 Thread Jim Jagielski 
Committed revision 1530603.

thx again!
On Oct 8, 2013, at 4:24 PM, Yann Ylavic ylavic@gmail.com wrote:

 Sure, here it is.
 
 Please note 2 chances compared to the previous patch (pasted) :
 - the slow path ap_request_has_body used last to compute do_100_continue,
 - step Three-and-a-Half moved into step 3, with the associated comment 
 updated.
 
 For the latter change, it avoids the systematic double-check (needlessly, 
 IMHO) when light ping is configured and the connection is reused.
 
 Thank you for taking that into account.
 
 
 
 On Tue, Oct 8, 2013 at 8:52 PM, Jim Jagielski j...@jagunet.com wrote:
 OK, I gotcha now...
 
 Do you have a patch file? tia!
 
 On Oct 8, 2013, at 12:56 PM, Yann Ylavic ylavic@gmail.com wrote:
 
  On Tue, Oct 8, 2013 at 6:26 PM, Jim Jagielski j...@jagunet.com wrote:
  Does it matter whether or not it's a heavy ping or not?
  It doesn't matter what sort of test was used, the socket is down.
 
  Yes it is down, but for the ajp case for example, that determines the 
  return value GATEWAY_TIMEOUT vs INTERNAL_SERVER_ERROR, and according to the 
  comments, the former is when cping/cpong was used and that will not affect 
  the whole worker, does it make sense when the light ping (socket 
  health-check) only was done before forwarding?
 
  For the ap_proxy_http_request error case, should mod_proxy retry a new 
  request when the heavy ping is off (light ping on)?
 
  For ap_proxy_create_hdrbrgd and ap_proxy_process_response, the 100 
  continue things have nothing to do with light ping only, have they?
 
  Regards.
 
 
  On Oct 8, 2013, at 11:53 AM, Yann Ylavic ylavic@gmail.com wrote:
   Hi,
  
   Some code in trunk still only check for ping_timeout_set without 
   ping_timeout positive value to handle the heavy ping (CPING/Expect: 
   100-continue), see patch below.
  
   Regards,
   Yann.
  
   Index: modules/proxy/mod_proxy_ajp.c
   ===
   --- modules/proxy/mod_proxy_ajp.c(revision 1530243)
   +++ modules/proxy/mod_proxy_ajp.c(working copy)
   @@ -341,7 +341,8 @@ static int ap_proxy_ajp_request(apr_pool_t *p, req
 * we assume it is a request that cause a back-end timeout,
 * but doesn't affect the whole worker.
 */
   -if (APR_STATUS_IS_TIMEUP(status)  
   conn-worker-s-ping_timeout_set) {
   +if (APR_STATUS_IS_TIMEUP(status)  
   conn-worker-s-ping_timeout_set
   + conn-worker-s-ping_timeout = 0) {
return HTTP_GATEWAY_TIME_OUT;
}
  
   @@ -661,7 +662,9 @@ static int ap_proxy_ajp_request(apr_pool_t *p, req
 * we assume it is a request that cause a back-end timeout,
 * but doesn't affect the whole worker.
 */
   -if (APR_STATUS_IS_TIMEUP(status)  
   conn-worker-s-ping_timeout_set) {
   +if (APR_STATUS_IS_TIMEUP(status) 
   +conn-worker-s-ping_timeout_set 
   +conn-worker-s-ping_timeout = 0) {
apr_table_set(r-notes, proxy_timedout, 1);
rv = HTTP_GATEWAY_TIME_OUT;
}
   Index: modules/proxy/proxy_util.c
   ===
   --- modules/proxy/proxy_util.c(revision 1530243)
   +++ modules/proxy/proxy_util.c(working copy)
   @@ -3073,6 +3073,7 @@ PROXY_DECLARE(int) ap_proxy_create_hdrbrgd(apr_poo
 * We also make sure we won't be talking HTTP/1.0 as well.
 */
do_100_continue = (worker-s-ping_timeout_set
   +(worker-s-ping_timeout = 0)
ap_request_has_body(r)
(PROXYREQ_REVERSE == r-proxyreq)
!(apr_table_get(r-subprocess_env, 
   force-proxy-request-1.0)));
   Index: modules/proxy/mod_proxy_http.c
   ===
   --- modules/proxy/mod_proxy_http.c(revision 1530243)
   +++ modules/proxy/mod_proxy_http.c(working copy)
   @@ -1241,6 +1241,7 @@ int ap_proxy_http_process_response(apr_pool_t * p,
dconf = ap_get_module_config(r-per_dir_config, proxy_module);
  
do_100_continue = (worker-s-ping_timeout_set
   +(worker-s-ping_timeout = 0)
ap_request_has_body(r)
(PROXYREQ_REVERSE == r-proxyreq)
!(apr_table_get(r-subprocess_env, 
   force-proxy-request-1.0)));
   @@ -1992,8 +1993,9 @@ static int proxy_http_handler(request_rec *r, prox
 */
if ((status = ap_proxy_http_request(p, r, backend, worker,
conf, uri, locurl, 
   server_portstr)) != OK) {
   -if ((status == HTTP_SERVICE_UNAVAILABLE)  
   worker-s-ping_timeout_set 
   - worker-s-ping_timeout  0) {
   +if ((status ==

Re: [PATCH 55593] Add SSLServerInfoFile directive

2013-10-09 Thread Dr Stephen Henson 
On 09/10/2013 02:22, Trevor Perrin wrote:
 Hi Kaspar, Stephen,
 
 So I think where things stand is that the OpenSSL 1.0.2 branch is
 capable of handling ServerInfo on a per-algorithm basis, but it's not
 clear how to expose this through Apache.
 
 (My previous email was naive, I was thinking maybe Stephen was saying
 the current certificate / current key concept was already exposed
 through to Apache, but I don't think it is).
 

Technically the current certificate concept doesn't need exposing at all. You
just have to make sure you set all the relevant parameters *after* you set the
certificate they apply to and *before* you set another one.

 So is there some way I could implement mod_ssl support for ServerInfo
 without a major rewrite of how mod_ssl handles certs and keys? (which
 some of the previous suggestions seemed to entail...)
 

I can see two ways to do this.

One is to add some code to Apache that just covers ServerInfo and is a directive
at the same level as certificates (apologies, not sure what the actual term for
that is). You then make sure you apply the value of that directive when you set
the relevant certificate.

The other is to enhance the SSL_CONF code in Apache so it can also store
per-certificate parameters.

The SSL_CONF currently works in Apache is to store all the SSL_CONF commands in
an array during configuration and replay them when the SSL_CTX is set. That's OK
for parameters that apply to the whole server (which reminds me support for
client mode in Apache would be good too) but not for individual certificates.

What you'd do to extend this is to have an array stored at the certificate level
and replay it after the appropriate certificate is set.

It's tempting to just add a directive but after some thought I think expanding
Apache SSL_CONF handling is the way to go. This would add some future proofing
so we don't have to go through this all again in future.

Steve.
-- 
Dr Stephen Henson. OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
+1 877-673-6775
shen...@opensslfoundation.com

Re: [PATCH 55593] Add SSLServerInfoFile directive

2013-10-09 Thread Dr Stephen Henson 
On 02/10/2013 08:35, Kaspar Brand wrote:
 On 01.10.2013 12:15, Dr Stephen Henson wrote:
 That's just OpenSSL internals though. To handle ServerInfo properly in 
 mod_ssl
 IMHO you would need a new directive as there's no support for per-certificate
 SSL_CONF commands: it wasn't intended to be used like that in its current 
 form.

 This also runs against what IMHO is a long standing historical problem with 
 the
 way mod_ssl handles certificates: it hard codes the algorithms used in the
 source. That means every new algorithm needs mod_ssl code changes to support:
 ECC for example.
 
 True. I guess it's a side effect of keeping private key pass phrases in
 the global SSLModConfigRec. From ssl_private.h:
 
 /* BIG FAT WARNING: SSLModConfigRec has unusual memory lifetime: it is
  * allocated out of the process pool and only a single such
  * structure is created and used for the lifetime of the process.
 [...]
  * This odd lifetime strategy is used so that encrypted private keys
  * can be decrypted once at startup and continue to be used across
  * subsequent server reloads where the interactive password prompt is
  * not possible.
 [...]
  * This should really be fixed using a smaller structure which only
  * stores that which is absolutely necessary (the private keys, maybe
  * the random seed), and have that structure be strictly ABI-versioned
  * for safety.
 
 Whether the latter is doable without breaking backward config
 compatibility (in particular for the SSLCertificate*File directives)
 needs further examination, I guess.
 

I'd be interested in seeing what can be done to address this. One problem I
noticed in the past is that the serialisation of keys in Apache is not algorithm
independent: you can get around that by using PKCS#8 which is supported in all
the versions of OpenSSL of interest.

Well it works for software keys. For HSM keys there are some rather thorny
issues which are trickier to handle. I don't think those are currently 
supported?

Are you (or is anyone else) aware of any limitations on the OpenSSL side that
prevent revision of the code to support arbitrary numbers of certificates in an
algorithm independent way?

There's one (relatively minor) one I can think of. If you set another
certificate of the same type OpenSSL silently overwrites the old one. That means
you can't currently catch configuration errors: e.g. trying to use two
certificates of the same type.

Steve.
-- 
Dr Stephen Henson. OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
+1 877-673-6775
shen...@opensslfoundation.com