Re: uds support
On Mon, 14 Oct 2013, Jim Jagielski wrote: On Oct 14, 2013, at 10:09 AM, Plüm, Rüdiger, Vodafone Group ruediger.pl...@vodafone.com wrote: Which one? sock://var/run/server.sock|http://localhost/foo/bar or http://localhost/foo/bar|sock:/var/run.s.sock I guess we could say that the path info for the segment that provides the communication scheme (http://localhost/... above), if any, is ignored. eg: http://localhost/|sock:./rel/dir/s.sock ajp://localhost/ignored/path|sock:/var/run/a.sock I like the above ones most. IMO it would be better to have the sock: at the start, so that it is immediately obvious. Imagine that you'd had to scan a 80 char URL with several url parameters for the |, that's annoying and error-prone. Alternatively, use a hostname that really stands out, like _unix_ or _socket_. For the scheme I would actually prefer unix:, because that is what other programs use (X, socat), and there are a lot more different socket types than unix. If not that, I would still prefer sock: over file:, because it is IMHO more correct.
Re: [PATCH 55593] Add SSLServerInfoFile directive
On 14/10/13 17:28, Kaspar Brand wrote: On 14.10.13 10:51, Rob Stradling wrote: Kaspar, I don't think data from 2010 (or even data from today) should be assumed to be a reliable indicator of future use of non-RSA certs on public sites. Past performance is not indicative of future performance, as they use to say in other industries, yes. Did the situation with Certicom's licensing terms for ECC cert issuance change recently? Not that I know of. But, with or without a licence from Certicom, it's gradually starting to happen. Symantec are already issuing ECC certs [1]. Here's one for urs.microsoft.com: -BEGIN CERTIFICATE- MIIDxjCCA2ugAwIBAgIQUbq+PtTzXy8rOAsfB6suITAKBggqhkjOPQQDAjB7MQsw CQYDVQQGEwJVUzEdMBsGA1UEChMUU3ltYW50ZWMgQ29ycG9yYXRpb24xHzAdBgNV BAsTFlN5bWFudGVjIFRydXN0IE5ldHdvcmsxLDAqBgNVBAMTI1N5bWFudGVjIENs YXNzIDMgRUNDIDI1NiBiaXQgU1NMIENBMB4XDTEzMDkyMDAwMDAwMFoXDTE1MDkx OTIzNTk1OVowgYYxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAw DgYDVQQHDAdSZWRtb25kMR4wHAYDVQQKDBVNaWNyb3NvZnQgQ29ycG9yYXRpb24x FDASBgNVBAsMC1NtYXJ0U2NyZWVuMRowGAYDVQQDDBF1cnMubWljcm9zb2Z0LmNv bTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABKRpJylWRGyj0IxBH+SMdRRioQd6 M6mSEDsnrnoLAeQmtJOOeGtafnrX4REkM9ZtsAWBWdynIAIFfBrcEb490+mjggHD MIIBvzA0BgNVHREELTArghF1cnMubWljcm9zb2Z0LmNvbYIWYmV0YS51cnMubWlj cm9zb2Z0LmNvbTAJBgNVHRMEAjAAMA4GA1UdDwEB/wQEAwIHgDAdBgNVHSUEFjAU BggrBgEFBQcDAQYIKwYBBQUHAwIwQwYDVR0gBDwwOjA4BgpghkgBhvhFAQc2MCow KAYIKwYBBQUHAgEWHGh0dHBzOi8vd3d3LnZlcmlzaWduLmNvbS9jcHMwHwYDVR0j BBgwFoAUdXGf/eTFGkqYm6v7wTqsTdTPb4wwTwYDVR0fBEgwRjBEoEKgQIY+aHR0 cDovL1NWUjI1NlNlY3VyZUVDQy1jcmwud3Muc3ltYW50ZWMuY29tL1NWUjI1NlNl Y3VyZUVDQy5jcmwwgZUGCCsGAQUFBwEBBIGIMIGFMDcGCCsGAQUFBzABhitodHRw Oi8vU1ZSMjU2U2VjdXJlRUNDLW9jc3Aud3Muc3ltYW50ZWMuY29tMEoGCCsGAQUF BzAChj5odHRwOi8vU1ZSMjU2U2VjdXJlRUNDLWFpYS53cy5zeW1hbnRlYy5jb20v U1ZSMjU2U2VjdXJlRUNDLmNlcjAKBggqhkjOPQQDAgNJADBGAiEAxdqO/Zo0L4tY +1VIXjyDBiWexXHo/LUwxJqWYK1DN/ECIQCcp+fXwMAOiv4OlvHjV3BrNuEdr93m WLuIyEC12xJ5uw== -END CERTIFICATE- AFAICT, interest (amongst the commercial CAs) in ECC certs continues to grow. Since a significant proportion (I estimate ~20%) of deployed clients will accept RSA server certs but not ECC server certs, I think that configuring both an ECC cert and an RSA cert on a single vhost may yet become popular! I'm not saying we should no longer support multiple certs per vhost (in fact, with my PoC patch, you can send as many certs to OpenSSL if you increase SSL_AIDX_MAX - though OpenSSL currently can't really cope with it)... what I'm saying is that I don't see a need for an additional per-cert directive. To support the current cert concept of OpenSSL for the SSL_CTX calls, we just need to make sure that we're applying the OpenSSLConfCmd directives (ServerInfoFile etc.) at the proper place. Kaspar Ah, I see. Thanks for explaining. [1] http://www.symantec.com/connect/blogs/introducing-algorithm-agility-ecc-and-dsa -- Rob Stradling Senior Research Development Scientist COMODO - Creating Trust Online
Does Apache need Designers?
Hi, I know it's not entirely appropriate to interject on this list, but I've exhausted a few other options before deciding to post here. I'm a User Interface Designer with experience in open source projects (OpenOffice.org, then LibreOffice) and I'd like to help by making graphics for Apache because I feel particularly passionate about the world wide web and its freedom. I've suggested this in the past and met with lukewarm reception so I'm posting on this list in hopes it will find support with some Developers who see the need for a Designer's contribution. To show how I could contribute (and whether I'm capable of it) I've prepared some examples where new imagery might reinforce Apache's standing as the premier HTTP server. On this site below, I've proposed logos, installers and a website re-skin; http://nikashsingh.org/apache/ As you can see I'm not radically changing anything, I'm just suggesting small improvements to bring the aesthetic of Apache up to date. And I'm being realistic about the degree of change necessary, especially on the HTTP project website where the changes are CSS-only to minimise work. For example, this is the current (existing) HTTP project website; http://httpd.apache.org/ And this is the exact same page with my CSS file added; http://nikashsingh.org/apache/httpserver/welcome_mod.htm I know this is a Dev list, but I'm hoping some of you feel inclined after viewing the proposals, that the help of a Designer might benefit Apache going forward. And even if these examples aren't useful, maybe we could discuss the creation of icons/badges/shirts etc? more of my work can be found at my volunteer website below. Thanks for taking a moment to check out the proposals! I hope you'll consider my request for joining you all in making Apache look every bit as good as it works. -Nik http://nikashsingh.org
Re: uds support
I see a suggestion to: 1. s/sock:/unix:/ 2. Reorg as unix:/whatever|http://localhost/ any other comments? I'd like to nail this down...
error log providers, multiple vhosts, mod_syslog
Does this patch/commit look okay? It works for me with a simple provider in different scenarios (vhost that inherits provider setup from s_main, vhost that has its own setup). I suppose mod_syslog needs to disallow any attempts to configure it in a vhost with different settings since openlog() is process-wide. Jan, can you look at that by chance? -- Forwarded message -- From: traw...@apache.org Date: Tue, Oct 15, 2013 at 10:09 AM Subject: svn commit: r1532344 - /httpd/httpd/trunk/server/log.c To: c...@httpd.apache.org Author: trawick Date: Tue Oct 15 14:09:29 2013 New Revision: 1532344 URL: http://svn.apache.org/r1532344 Log: Follow-up to r1525597: Initialize error log providers in vhosts, solving crashes when logging from those vhosts as well as allowing a different provider (or provider configuration) for vhosts. Modified: httpd/httpd/trunk/server/log.c Modified: httpd/httpd/trunk/server/log.c URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/server/log.c?rev=1532344r1=1532343r2=1532344view=diff == --- httpd/httpd/trunk/server/log.c (original) +++ httpd/httpd/trunk/server/log.c Tue Oct 15 14:09:29 2013 @@ -458,6 +458,18 @@ int ap_open_logs(apr_pool_t *pconf, apr_ virt-error_log = q-error_log; } } +else if (virt-errorlog_provider) { +/* separately-configured vhost-specific provider */ +if (open_error_log(virt, 0, p) != OK) { +return DONE; +} +} +else if (s_main-errorlog_provider) { +/* inherit provider from s_main */ +virt-errorlog_provider = s_main-errorlog_provider; +virt-errorlog_provider_handle = s_main-errorlog_provider_handle; +virt-error_log = NULL; +} else { virt-error_log = s_main-error_log; } -- Born in Roswell... married an alien... http://emptyhammock.com/
Re: Does Apache need Designers?
On 10/15/2013 07:28 AM, Nikash SINGH wrote: Hi, I know it's not entirely appropriate to interject on this list, but I've exhausted a few other options before deciding to post here. I'm a User Interface Designer with experience in open source projects (OpenOffice.org, then LibreOffice) and I'd like to help by making graphics for Apache because I feel particularly passionate about the world wide web and its freedom. I've suggested this in the past and met with lukewarm reception so I'm posting on this list in hopes it will find support with some Developers who see the need for a Designer's contribution. To show how I could contribute (and whether I'm capable of it) I've prepared some examples where new imagery might reinforce Apache's standing as the premier HTTP server. On this site below, I've proposed logos, installers and a website re-skin; http://nikashsingh.org/apache/ As you can see I'm not radically changing anything, I'm just suggesting small improvements to bring the aesthetic of Apache up to date. And I'm being realistic about the degree of change necessary, especially on the HTTP project website where the changes are CSS-only to minimise work. For example, this is the current (existing) HTTP project website; http://httpd.apache.org/ And this is the exact same page with my CSS file added; http://nikashsingh.org/apache/httpserver/welcome_mod.htm I know this is a Dev list, but I'm hoping some of you feel inclined after viewing the proposals, that the help of a Designer might benefit Apache going forward. And even if these examples aren't useful, maybe we could discuss the creation of icons/badges/shirts etc? more of my work can be found at my volunteer website below. Thanks for taking a moment to check out the proposals! I hope you'll consider my request for joining you all in making Apache look every bit as good as it works. -Nik http://nikashsingh.org So, a few comments: First, I like what you've proposed regarding the httpd website, although the blue marble thing next to the project name seems out of place. Are you changes just to CSS, or are they changes to the HTML? (I didn't dig too deeply, as you can see.) I also like the changes to the Windows installer. I'm not at all sure what's involved in changing the look of the installer. Second, you've proposed changes to the httpd website, but also to stuff that is at the Foundation level. Any changes to the logo would have to be decided on the Trademarks mailing list - tradema...@apache.org - rather than on a list dealing with just one project within the Foundation. In case you're not very familiar with the Foundation, there are 100+ projects, and httpd is just one of them. All project have equal footing within the Foundation, and such a thing, affecting the entire Foundation, could not be decided here. -- Rich Bowen rbo...@rcbowen.com Shosholoza
Re: Does Apache need Designers?
On 10/15/2013 05:43 PM, Rich Bowen wrote: On 10/15/2013 07:28 AM, Nikash SINGH wrote: Hi, I know it's not entirely appropriate to interject on this list, but I've exhausted a few other options before deciding to post here. I'm a User Interface Designer with experience in open source projects (OpenOffice.org, then LibreOffice) and I'd like to help by making graphics for Apache because I feel particularly passionate about the world wide web and its freedom. I've suggested this in the past and met with lukewarm reception so I'm posting on this list in hopes it will find support with some Developers who see the need for a Designer's contribution. To show how I could contribute (and whether I'm capable of it) I've prepared some examples where new imagery might reinforce Apache's standing as the premier HTTP server. On this site below, I've proposed logos, installers and a website re-skin; http://nikashsingh.org/apache/ As you can see I'm not radically changing anything, I'm just suggesting small improvements to bring the aesthetic of Apache up to date. And I'm being realistic about the degree of change necessary, especially on the HTTP project website where the changes are CSS-only to minimise work. For example, this is the current (existing) HTTP project website; http://httpd.apache.org/ And this is the exact same page with my CSS file added; http://nikashsingh.org/apache/httpserver/welcome_mod.htm I know this is a Dev list, but I'm hoping some of you feel inclined after viewing the proposals, that the help of a Designer might benefit Apache going forward. And even if these examples aren't useful, maybe we could discuss the creation of icons/badges/shirts etc? more of my work can be found at my volunteer website below. Thanks for taking a moment to check out the proposals! I hope you'll consider my request for joining you all in making Apache look every bit as good as it works. -Nik http://nikashsingh.org So, a few comments: First, I like what you've proposed regarding the httpd website, although the blue marble thing next to the project name seems out of place. Are you changes just to CSS, or are they changes to the HTML? (I didn't dig too deeply, as you can see.) I also like the changes to the Windows installer. I'm not at all sure what's involved in changing the look of the installer. Second, you've proposed changes to the httpd website, but also to stuff that is at the Foundation level. Any changes to the logo would have to be decided on the Trademarks mailing list - tradema...@apache.org - rather than on a list dealing with just one project within the Foundation. In case you're not very familiar with the Foundation, there are 100+ projects, and httpd is just one of them. All project have equal footing within the Foundation, and such a thing, affecting the entire Foundation, could not be decided here. -- Rich Bowen rbo...@rcbowen.com Shosholoza I like the sentiment, and I support _some form_ of overhaul of our site. I'm not sure I'd go for any of the specific designs proposed, but it's a good starting point, at least to get the ball rolling. There's also issues of licensing and contributor agreements and what not that needs to be sorted out. If there's not too much disgruntlement, perhaps we can, to paraphrase mr. Bush, find a Coalition of Willing that would sit down and look at how we could proceed with this? I'm certainly up for it (*writes own name down on a napkin*). With regards, Daniel.
Re: uds support
I went ahead and made an exec decision to baseline unix:/path/to/sock.sock|http: as canon. trunk now does this.
Re: uds support
On 15 Oct 2013, at 7:01 PM, Jim Jagielski j...@jagunet.com wrote: I went ahead and made an exec decision to baseline unix:/path/to/sock.sock|http: as canon. trunk now does this. Can we further define it that /path/to/sock.sock is urlencoded? The | character makes me twitch, but I don't have a better suggestion. :( Regards, Graham --
ap_proxy_share_worker/balancer possible use of freed mem
Helo, these functions may try to log malloc()ed worker/balancer's shared data freed just earlier. Yet, mod_proxy does not seem to set the ap_proxy_define_worker/balancer()'s do_malloc flag anywhere, so malloc()ed shared data should not occur. However that's allowed by the API... A possible patch follows. Regards, Yann. Index: modules/proxy/proxy_util.c === --- modules/proxy/proxy_util.c(revision 1532496) +++ modules/proxy/proxy_util.c(working copy) @@ -1218,11 +1218,13 @@ PROXY_DECLARE(apr_status_t) ap_proxy_share_balance } else { action = re-using; } +balancer-s = shm; +balancer-s-index = i; + ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, ap_server_conf, APLOGNO(02337) %s shm[%d] (0x%pp) for %s, action, i, (void *)shm, balancer-s-name); -balancer-s = shm; -balancer-s-index = i; + /* the below should always succeed */ lbmethod = ap_lookup_provider(PROXY_LBMETHOD, balancer-s-lbpname, 0); if (lbmethod) { @@ -1731,12 +1733,13 @@ PROXY_DECLARE(apr_status_t) ap_proxy_share_worker( } else { action = re-using; } +worker-s = shm; +worker-s-index = i; + ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, ap_server_conf, APLOGNO(02338) %s shm[%d] (0x%pp) for worker: %s, action, i, (void *)shm, ap_proxy_worker_name(NULL, worker)); -worker-s = shm; -worker-s-index = i; return APR_SUCCESS; } [EOS] httpd-trunk-proxy_util_possible_freed_mem_use.patch Description: Binary data
Re: ap_proxy_share_worker/balancer possible use of freed mem
Nice catch On Oct 15, 2013, at 3:54 PM, Yann Ylavic ylavic@gmail.com wrote:
Re: uds support
On Tue, Oct 15, 2013 at 1:01 PM, Jim Jagielski j...@jagunet.com wrote: I went ahead and made an exec decision to baseline unix:/path/to/sock.sock|http: as canon. trunk now does this. Jim, thanks for working on this. With this latest approach how is the URI path specified? For example, with the original patch which relied on the URL encoded slashes we could have: ProxyPass fcgi://socket=%2ftmp%2fphp-fpm.sock/local/htdocs/ How would that look now (specifically the /local/htdocs portion)? -- Blaise
Re: uds support
On Oct 15, 2013, at 4:57 PM, Blaise Tarr blaise.t...@gmail.com wrote: On Tue, Oct 15, 2013 at 1:01 PM, Jim Jagielski j...@jagunet.com wrote: I went ahead and made an exec decision to baseline unix:/path/to/sock.sock|http: as canon. trunk now does this. Jim, thanks for working on this. With this latest approach how is the URI path specified? For example, with the original patch which relied on the URL encoded slashes we could have: ProxyPass fcgi://socket=%2ftmp%2fphp-fpm.sock/local/htdocs/ How would that look now (specifically the /local/htdocs portion)? Currently, the path of the http: (or whatever) path is ignored; the next step is to add that in.
Re: mod_proxy ping and r-expecting_100
Here is a way to reproduce the issues (trunk and 2.4.x) discussed : $ cat httpd.conf [...] VirtualHost 127.0.0.1:8080 ServerName localhost:8080 ProxyPass / http://localhost:80/ ping=10 ProxyPassReverse / http://localhost:80/ /VirtualHost For this first request, the client does not expect a 100-continue but gets one : $ nc localhost 8080 EOS POST / HTTP/1.1 Host: localhost:8080 Content-Type: text/plain Content-Length: 10 123456789 EOS HTTP/1.1 100 Continue HTTP/1.1 404 Not Found Server: Apache Content-Length: 257 Content-Type: text/html; charset=iso-8859-1 [...] addressApache Server at localhost Port 80/address /body/html For this second request, the backend (httpd-2.2.16) does not like the double Expect: 100-continue : $ nc localhost 8080 EOS POST / HTTP/1.1 Host: localhost:8080 Content-Type: text/plain Content-Length: 10 Expect: 100-continue 123456789 EOS HTTP/1.1 100 Continue HTTP/1.1 417 Expectation Failed Server: Apache Content-Length: 437 Content-Type: text/html; charset=iso-8859-1 [...] pThe expectation given in the Expect request-header field could not be met by this server. The client sentpre Expect: 100-continue, 100-Continue /pre /ppOnly the 100-continue expectation is supported./p hr addressApache Server at localhost Port 80/address /body/html With the patch proposed, it works as expected, regards. On Thu, Oct 10, 2013 at 1:10 AM, Yann Ylavic ylavic@gmail.com wrote: On Tue, Oct 8, 2013 at 9:01 PM, Jim Jagielski j...@jagunet.com wrote: On Oct 8, 2013, at 1:25 PM, Yann Ylavic ylavic@gmail.com wrote: Helo, in the case where a ping is configured in a worker to check backend's connection (re)usability, ap_proxy_create_hdrbrgd will force r-expecting_100 (r1516930). As I understand it, r-expecting_100 relates to the client's connection, and is used by ap_http_filter to deal with client's 100-continue expectation, or by ap_send_interim_response to check whether the client expects one (or do nothing). Hence why is ap_proxy_create_hdrbrgd setting r-expecting_100 for the purpose of the backend connection? because we are forcing the 100-continue on that request. See ap_proxy_http_process_response() For what I understand from this ap_proxy_http_process_response() code : if (interim_response) { /* RFC2616 tells us to forward this. * * OTOH, an interim response here may mean the backend * is playing sillybuggers. The Client didn't ask for * it within the defined HTTP/1.1 mechanisms, and if * it's an extension, it may also be unsupported by us. * * There's also the possibility that changing existing * behaviour here might break something. * * So let's make it configurable. * * We need to set r-expecting_100 = 1 otherwise origin * server behaviour will apply. */ const char *policy = apr_table_get(r-subprocess_env, proxy-interim-response); [...] if (!policy || (!strcasecmp(policy, RFC) ((r-expecting_100 = 1 { ap_send_interim_response(r, 1); } [...or else discard that response...] } ap_proxy_http_process_response() takes care of whether to forward a 100 Continue response from the backend to the client, ap_send_interim_response() won't send anything unless r-expecting_100, but ENV:proxy-interim-response can force things. Is setting r-expecting_100 in ap_proxy_create_hdrbrgd() for ap_proxy_http_process_response() to forward the interim response(s)? If so, the bad path is that ap_http_filter() will first use r-expecting_100 (and reset it) for sending its own interim response (which isn't expected!). That's because the request body is prefetched (and then forwarded) before ap_proxy_http_process_response() is called, hence r-expecting_100 will never reach ap_proxy_http_process_response(), and no upcoming 100 Continue response from the backend will be forwarded to the client (unless ENV:proxy-interim-response is RFC). However there are 2 cases where mod_proxy_http expects a 100 Continue : 1. it forwards an Expect: 100 from the client, or/and 2. it adds/uses the Expect: 100 as a ping/continue-pong. And the RFC2616 states : - 10.1 Informational 1xx [...] Proxies MUST forward 1xx responses, unless the connection between the proxy and its client has been closed, or unless the proxy itself requested the generation of the 1xx response. (For example, if a proxy adds a Expect: 100-continue field when it forwards a request, then it need not forward the corresponding 100 (Continue) response(s).) For case 1 (with or without case 2), let ap_proxy_http_process_response() choose as usual whether to forward the interims. For
Re: Does Apache need Designers?
Hi again, Thank you *Daniel*, *Rich* and *Steve* for your replies. I've responded inline and I'll take this conversation off your list and move it to the trademarks list. And if you don't mind I'll report back with one quick message once I have their replies about whether an update to the HTTP project website is permissible so that anyone wanting to help me update the site knows how we can proceed. On 16/10/13 2:50 AM, Daniel Gruno wrote: On 10/15/2013 05:43 PM, Rich Bowen wrote: So, a few comments: ... Are you changes just to CSS, or are they changes to the HTML? Yup, just CSS, I've kept the changes as minimal as possible to ensure the least amount of work need be done to make the changes happen. I also like the changes to the Windows installer. I'm not at all sure what's involved in changing the look of the installer. Neither am I, but I'd be more than happy to provide the graphics if a more proficient Developer can help me integrate them into the installer. Second, you've proposed changes to the httpd website, but also to stuff that is at the Foundation level. Any changes to the logo would have to be decided on the Trademarks mailing list - tradema...@apache.org - Thanks for that Rich, something I overlooked while hunting for relevant mailing lists. And while I'd like the /Foundation/ to consider an overall Design update, I'd also ask the /HTTP project/ to consider its website and installer, because as I say, improving the HTTP server project is where most of the interest for me lies in Apache. ... -- Rich Bowen rbo...@rcbowen.com Shosholoza I like the sentiment, and I support _some form_ of overhaul of our site. I'm not sure I'd go for any of the specific designs proposed, but it's a good starting point, Yeah I can appreciate that, I was trying to work with the existing styles and language of the Apache website though they are difficult to work with and dated. I'm happy to iterate because that is always a good thing, I'm just trying to gauge interest first to see whether change is welcome. If there's not too much disgruntlement, perhaps we can, to paraphrase mr. Bush, find a Coalition of Willing that would sit down and look at how we could proceed with this? I'm certainly up for it (*writes own name down on a napkin*). Thanks Daniel! I'm certainly willing and I'll keep you (and anyone else that raises their hand) informed of the discussion on the trademarks list. ... With regards, Daniel. And Steve, I'd be VERY interested in helping with the openSSL website. I can't say I understand SSL very well, but if that is not a (idealistic) problem for you we can discuss the possibility off-list? Please send me a private Email with more details and we'll talk shop =) In any case, whether my attempts to introduce new Designs are successful or not, I just want to say thanks to the entire project and that there's plenty of us who appreciate what you do and what it means to an open internet. -Nik