Re: http/2, spdy and bears, oh my!

[Graham Leggett]

On 05 Feb 2014, at 9:09 PM, Jim Jagielski j...@jagunet.com wrote:

 With http/2 becoming closer and closer, and spdy being
 in place as we speak, it seems that we should really
 ramp up development on trunk to support these new techs.
 
 Lets get serious on what needs to be done w/ trunk
 to get there, and what our wish-list is for new capability
 and architecture.
 
 Taking a page from mod_spdy, breaking the connection-request
 singularity looks like an interesting 1st step, maybe via
 some sort of virtual connection which a real connection
 can spin up/down and which corresponds to the request's
 actual connection... 

My moon-on-a-stick wishlist is as follows.

I want more from the MPMs. Most specifically, what I want is:

- The ability to create and associate additional connections with the original 
incoming connection, creating a set of associated connections, all controlled 
by the same event loop.

If mod_proxy wants to make a connection, I want to be able to tie it into the 
same event loop that is driving the frontend. It should not matter where the 
connections come from, they could be local pipes, doesn't matter.

- The ability to mask events.

Messing around with lists of sockets is a colossal faff, ideally the MPM should 
worry about this and the module developer shouldn't care. What I want is the 
ability, at any time, to mask an event on a connection in a simple and easy to 
understand way.

While I am waiting for a ready-to-read from a backend proxy, I want to mask the 
ready-to-write to the frontend, and I don't want this to be fiddly.

- First class support for openssl.

The SSL protocol is a layer, meaning that while we may be trying to read, 
openssl underneath might be trying to either read or write to perform a 
renegotiation. What openssl asks us to do is switch to a write in the middle of 
a read, or a read in the middle of a write.

We must support this properly from the get go with the ability to override the 
sense of any event from a write to a read or a read to a write. In the past the 
MPMs have ignored openssl expecting to handle it as some kind of special case, 
and this is wrong.

Regards,
Graham
--

Re: Revisiting: xml2enc, mod_proxy_html and content compression

[Ewald Dieterich]

Thanks for the patch!

On 02/05/2014 02:57 PM, Nick Kew wrote:


The hesitation is because I've been wanting to review the
patch before committing, and round tuits are in woefully
short supply.  So I'm attaching it here.  I'll take any feedback
from you or other users as a substitute for my own review,
and commit if it works for you without glitches.


Minor glitch: the patch doesn't compile because it uses the unknown 
variable cfg in xml2enc_ffunc(). Otherwise it works as advertised.


My wishlist:

* Make the configuration option as powerful as the compiled in fallback 
so that you can configure eg. contains xml. But how would you do that? 
Support regular expressions?


* Provide a configuration option to blacklist content types so that you 
can use the defaults that are compiled in but exclude specific types 
from processing (this is how I work around the Sharepoint problem, I 
simply exclude content type multipart/related).

Adding AddHandler support for mod_proxy

[ryo takatsuki]

Hi,

I have an improvement request to suggest but I would like to first provide
some background to justify it, I apologise for the long email :).

I'm actively using mod_proxy to forward PHP files requests to PHP-FPM. My
current approach is to use a RewriteRule with the 'P' flag because (in most
of the cases) it plays nicely with other rules configured by the
applications I'm configuring, as well as allowing per-Directory
configurations.

To make it properly work I must assure the proxy RewriteRule must be the
latest one to be evaluated. The problem is that from time to time I
encounter corner cases in which the rules previously executed include a [L]
option that abort the next rules evaluation, skipping the proxy one, making
Apache serve the PHP text as plain text. This can be solved by tweaking the
rules but it is a tedious process and is hard to determine all the
scenarios in which the rewrites could go wrong.

Thinking about my goal with all of this was at the beginning, I realised I
only wanted a way of configuring a handler for all my PHP files, that in
this case is PHP-FPM, without having to worry about what happens before the
resource is going to be served. This made my think about the possibility of
adding this functionality to mod_proxy itself, allowing defining a proxy
worker as a handler for certain types of files. Something like:

 AddHandler proxy:unix:/path/to/app.sock|fcgi://localhost/ .php


I made a quick POC, it is a really small change and for those in my
situation it could really simplify the configuration of their apps. Of
course, I'm open to criticisms and alternative solutions :).


The code that adds the new functionality is inserted at the beginning of
mod_proxy's proxy_handler. The conditions are a little weird because I only
wanted to check the handler if it is not a proxy request already.

diff --git a/modules/proxy/mod_proxy.c b/modules/proxy/mod_proxy.c
index 9d7c92f..49f3bdc 100644
--- a/modules/proxy/mod_proxy.c
+++ b/modules/proxy/mod_proxy.c
@@ -927,8 +927,20 @@ static int proxy_handler(request_rec *r)
 struct dirconn_entry *list = (struct dirconn_entry
*)conf-dirconn-elts;

 /* is this for us? */
-if (!r-proxyreq || !r-filename || strncmp(r-filename, proxy:, 6)
!= 0)
+if (!r-filename)
+  return DECLINED;
+
+if (!r-proxyreq) {
+  if (r-handler  strncmp(r-handler, proxy:, 6) == 0 
strncmp(r-filename, proxy:, 6) != 0) {
+r-proxyreq = PROXYREQ_REVERSE;
+r-filename = apr_pstrcat(r-pool, r-handler, r-filename, NULL);
+apr_table_setn(r-notes, rewrite-proxy, 1);
+  } else {
 return DECLINED;
+  }
+} else if (strncmp(r-filename, proxy:, 6) != 0) {
+  return DECLINED;
+}

 /* handle max-forwards / OPTIONS / TRACE */
 if ((str = apr_table_get(r-headers_in, Max-Forwards))) {

Best regards,

Juanjo.

[PATCH 55467] - Updates to mod_ssl to support TLS hello extensions and TLS supplemental data

[Scott Deboy]

Support for sending and receiving TLS hello extensions and TLS supplemental 
data messages has recently been added to the OpenSSL GitHub master branch.

I’ve submitted a patch to mod_ssl which allows third-party modules to send and 
receive TLS hello extensions and TLS supplemental data via optional hooks and 
functions.

The patch can be found here: 
https://issues.apache.org/bugzilla/show_bug.cgi?id=55467

I’m happy to update the patch based on feedback.

Thanks much,

Scott Deboy

agent-based framework for httpd private keys [was: Re: SSL_CTX_get_{first,next}_certificate]

[Daniel Kahn Gillmor]

On 02/06/2014 12:35 AM, Kaspar Brand wrote:
 On 05.02.2014 18:13, Falco Schwarz wrote:
 Kaspar, I ran into another issue when using an encrypted private key and 
 SSLOpenSSLConfCmd PrivateKey.
 Again it fails to load the encrypted private key with the following errors:
 
 That's by design, see [1]. Eventually I'd like to drop support for
 encrypted private keys from trunk.

As part of the goal of dropping encrypted private key support, have you
considered using an agent-based framework for private keys?

As a point of reference, OpenSSH added agent-based host key support for
sshd on 2013-07-20.

tTe basic model is:

 0) there is a running agent that holds secret key material and listens
on a socket (unix-domain sockets are nice because of the possibility of
tight filesystem permission control)

 1) the daemon (httpd, sshd) knows how to talk to the agent, to request
a list of available keys, and to request signing or decryption
operations to be done by the keys.

 2) the agent has a set of rules that govern when and how to obey a
specific request for signing or decryption operations

 3) the sysadmin has an interface to load password-protected keys into
the agent.

You can also run the agent under a different user account than the web
server, so that a runaway web server process wouldn't have access to the
secret key material without some other privilege escalation.  And you
can commit to a very small-footprint agent, with less room for bugs and
exploits, as compared to the entire modular webserver.

PKCS#11 is one formalization of this approach (though i think that PKCS
#11's shared object interface itself is pretty problematic in today's
multi-core/multi-threaded/multi-process architectures).

Anyway, with some sort of agent-based approach, you could preserve
encrypted keys-on-disk (for Joe Orton's examples of admins with access
to full-machine backups, or secret-keys-on-NFS) while leaving apache
agnostic about the way the keys get *into* the agent.

--dkg



signature.asc
Description: OpenPGP digital signature