Re: compile failure [WAS: '']
macke...@animalhead.com wrote: Trying your new libapreq2-2.12, specifying the apxs path to Makefile.PL under FreeBSD 6.3, yields the following in the 'make' step: I've seen this too. I submited a patch for the freebsd ports tree pending the ports freeze ending in ~1 week we hope and the maintainer committing it. http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/133694 -- 1024D/DB9B8C1C B90B FBC3 A3A1 C71A 8E70 3F8C 75B8 8FFB DB9B 8C1C Philip M. Gollucci (pgollu...@p6m7g8.com) c: 703.336.9354 Consultant - P6M7G8 Inc.http://p6m7g8.net Senior Sys Admin- RideCharge, Inc. http://ridecharge.com Contractor - PositiveEnergyUSA http://positiveenergyusa.com ASF Member - Apache Software Foundation http://apache.org FreeBSD Committer - FreeBSD Foundation http://freebsd.org Work like you don't need the money, love like you'll never get hurt, and dance like nobody's watching.
Re: Deregister and register a single module on passing signal..
On Sun, Apr 19, 2009 at 11:58 PM, Jaysingh Samuel jayasingh.sam...@hotmail.com wrote: 1. If iam passing a SigUSR2 signal to the parent process, then will i be able to reload/rerun only my custom Modules, without reading the config file ?. No, all the modules are reloaded and the config is re-parsed. -- Eric Covener cove...@gmail.com
RE: Deregister and register a single module on passing signal..
Eric, Thanks for your reply, let me make my question clear.. I have one Custom module, which i want to reload every 10mins, when i give graceful then it reloads all the modules and also the config directives. Because of this i want to have an option in the httpd say reloadcustom which takes signal Sigusr2 and have to reload only the custom modules i have without reading the config Directives and should gracefully start the apache. The only difference between the graceful and my reloadcustom should be that the reloadcustom will have to reload only custom modules without reading the config directives. I tried to do this by directly calling the post_config on my custom_module in the worker.c after getting the reloadcustom signal but i see memory Leaks because of this, the following are the sample code. Worker.cstatic void server_main_loop(int remaining_children_to_start){ int child_slot;apr_exit_why_e exitwhy;int status, processed_status;apr_proc_t pid;int i;while (!restart_pending !shutdown_pending) {/*Parent process childen to finish up and spawns new children.*/if (is_reload == 1) {Here i called my custom_module post config function./* wake up the children...time to die.*/ ap_mpm_pod_killpg(pod, ap_daemons_limit, TRUE); is_reload = 0; }ap_wait_or_timeout(exitwhy, status, pid, pconf);} Please let me your suggestion on this. Thanks in advance, Jaysingh Samuel. Date: Mon, 20 Apr 2009 09:21:58 -0400 Subject: Re: Deregister and register a single module on passing signal.. From: cove...@gmail.com To: modules-dev@httpd.apache.org On Sun, Apr 19, 2009 at 11:58 PM, Jaysingh Samuel jayasingh.sam...@hotmail.com wrote: 1. If iam passing a SigUSR2 signal to the parent process, then will i be able to reload/rerun only my custom Modules, without reading the config file ?. No, all the modules are reloaded and the config is re-parsed. -- Eric Covener cove...@gmail.com _ The new Windows Live Messenger. You don’t want to miss this. http://www.microsoft.com/india/windows/windowslive/messenger.aspx
Bug report for Apache httpd-1.3 [2009/04/19]
+---+ | Bugzilla Bug ID | | +-+ | | Status: UNC=Unconfirmed NEW=New ASS=Assigned| | | OPN=ReopenedVER=Verified(Skipped Closed/Resolved) | | | +-+ | | | Severity: BLK=Blocker CRI=Critical REG=Regression MAJ=Major | | | | MIN=Minor NOR=NormalENH=Enhancement TRV=Trivial | | | | +-+ | | | | Date Posted | | | | | +--+ | | | | | Description | | | | | | | |10744|New|Nor|2002-07-12|suexec might fail to open log file| |10747|New|Maj|2002-07-12|ftp SIZE command and 'smart' ftp servers results i| |10760|New|Maj|2002-07-12|empty ftp directory listings from cached ftp direc| |14518|Opn|Reg|2002-11-13|QUERY_STRING parts not incorporated by mod_rewrite| |16013|Opn|Nor|2003-01-13|Fooling mod_autoindex + IndexIgnore | |16631|Inf|Min|2003-01-31|.htaccess errors logged outside the virtual host l| |17318|Inf|Cri|2003-02-23|Abend on deleting a temporary cache file if proxy | |19279|Inf|Min|2003-04-24|Invalid chmod options in solaris build| |21637|Inf|Nor|2003-07-16|Timeout causes a status code of 200 to be logged | |21777|Inf|Min|2003-07-21|mod_mime_magic doesn't handle little gif files| |22618|New|Maj|2003-08-21|MultiViews invalidates PATH_TRANSLATED if cgi-wrap| |25057|Inf|Maj|2003-11-27|Empty PUT access control in .htaccess overrides co| |26126|New|Nor|2004-01-14|mod_include hangs with request body | |26152|Ass|Nor|2004-01-15|Apache 1.3.29 and below directory traversal vulner| |26790|New|Maj|2004-02-09|error deleting old cache file | |29257|Opn|Nor|2004-05-27|Problem with apache-1.3.31 and mod_frontpage (dso,| |29498|New|Maj|2004-06-10|non-anonymous ftp broken in mod_proxy | |29538|Ass|Enh|2004-06-12|No facility used in ErrorLog to syslog| |30207|New|Nor|2004-07-20|Piped logs don't close read end of pipe | |30877|New|Nor|2004-08-26|htpasswd clears passwd file on Sun when /var/tmp i| |30909|New|Cri|2004-08-28|sporadic segfault resulting in broken connections | |31975|New|Nor|2004-10-29|httpd-1.3.33: buffer overflow in htpasswd if calle| |32078|New|Enh|2004-11-05|clean up some compiler warnings | |32539|New|Trv|2004-12-06|[PATCH] configure --enable-shared= brocken on SuSE| |32974|Inf|Maj|2005-01-06|Client IP not set | |33086|New|Nor|2005-01-13|unconsistency betwen 404 displayed path and server| |33495|Inf|Cri|2005-02-10|Apache crashes with WSADuplicateSocket failed for| |33772|New|Nor|2005-02-28|inconsistency in manual and error reporting by sue| |33875|New|Enh|2005-03-07|Apache processes consuming CPU| |34108|New|Nor|2005-03-21|mod_negotiation changes mtime to mtime of Document| |34114|New|Nor|2005-03-21|Apache could interleave log entries when writing t| |34404|Inf|Blk|2005-04-11|RewriteMap prg can not handle fpout | |34571|Inf|Maj|2005-04-22|Apache 1.3.33 stops logging vhost| |34573|Inf|Maj|2005-04-22|.htaccess not working / mod_auth_mysql| |35424|New|Nor|2005-06-20|httpd disconnect in Timeout on CGI| |35439|New|Nor|2005-06-21|Problem with remove /../ in util.c and mod_rewri| |35547|Inf|Maj|2005-06-29|Problems with libapreq 1.2 and Apache::Cookie | |3|New|Nor|2005-06-30|Can't find DBM on Debian Sarge| |36375|Opn|Nor|2005-08-26|Cannot include http_config.h from C++ file| |37166|New|Nor|2005-10-19|Under certain conditions, mod_cgi delivers an empt| |37252|New|Reg|2005-10-26|gen_test_char reject NLS string | |38989|New|Nor|2006-03-15|restart + piped logs stalls httpd for 24 minutes (| |39104|New|Enh|2006-03-25|[FR] fix build with -Wl,--as-needed | |39287|New|Nor|2006-04-12|Incorrect If-Modified-Since validation (due to syn| |39937|New|Nor|2006-06-30|Garbage output if README.html is gzipped or compre| |40224|Ver|Nor|2006-08-10|System time crashes Apache @year 2038 (win32 only?| |41279|New|Nor|2007-01-02|Apache 1.3.37 htpasswd is vulnerable to buffer ove| |42355|New|Maj|2007-05-08|Apache 1.3 permits non-rfc HTTP error code = 600 | |43626|New|Maj|2007-10-15|r-path_info returning invalid value | |44768|New|Blk|2008-04-07|Server suddenly reverted to showing test page only| |44926|New|Nor|2008-05-02|1.3.41 binary downloads are faulty MSIs |
Re: mod_proxy/mod_proxy_balancer bug
On Apr 17, 2009, at 4:28 PM, Rainer Jung wrote: The same type of balancing decision algorithm was part of mod_jk between 1.2.7 and 1.2.15. I always had problems to understand, how it exactly behaves in case some workers are out of order. The algorithm is interesting, but I found it very hard to model its mathematics into formulas. We finally decided to switch to something else. For request, traffic or session based balancing we do count items (requests, bytes or new sessions), and divide the counters by two once a minute. That way load that happened in the past does count less. Furthermore a worker that was dead or deactivated some time gets the biggest current load number when being reactivated, so that it starts a smooth as possible. I expect porting this to mod_proxy in trunk will be easy, but I'm not sure what experience others have with the fairness of balancing in case you add dynamics to the workers (errors and administrative downtimes). I have some ideas on the soft start when a errored-out worker returns (or when a new worker is added *hint* *hint*) that I've been playing with. The main thing, for me at least, is low overhead, even if it means sacrificing accuracy to the nth decimal place... I used to think aging was not something we wanted to do in mod_proxy, but mostly it was based on complex aging, and the overhead associated with that. But I have some ideas there as well. The main thing I've been working on is trying to do all these things in trunk in a way that is easily backportable to 2.2...
Re: segfaults / core dumps caused by ap_internal_fast_redirect
On Apr 19, 2009, at 7:58 AM, Ruediger Pluem wrote: As I have seen no further proposals in the last 14 days for a replacement of ap_internal_fast_redirect (as said I have no idea either) I would like to fix the current code to avoid the segfaults that are currently occurring. My outlined approach is the following: 1. Create _ex versions of ap_sub_req_lookup_uri / ap_sub_req_lookup_dirent and ap_sub_req_lookup_file that allow to supply a pool from which the subrequest allocates memory. 2. Let ap_internal_fast_redirect spit out a warning to the error log if the subrequest pool is different from the request pool. 3. Fix the current internal consumers of ap_internal_fast_redirect (mod_dir / mod_negotiation to use the _ex versions and feed them with the request pool. I can't think of anything better without some pretty significant refactoring of a LOT of code... So +1
Re: segfaults / core dumps caused by ap_internal_fast_redirect
Ruediger Pluem wrote: 3. Fix the current internal consumers of ap_internal_fast_redirect (mod_dir / mod_negotiation to use the _ex versions and feed them with the request pool. If we don't clear the test-redirect pool between attempts, where does that leave us? It sounds like a memory consumption problem lurking ahead, to be followed by claims of DoS vectors against that new implementation of negotiation or dir.
2.2.12 ?
Hi, I count ~24 changes since 2.2.11 and at least 2 of which I've been asked to plop directly in freebsd ports tree. That tells me its time. I know I haven't done it before, but I might consider being the RM if everyone else is ENOTIME. Thoughts? -- 1024D/DB9B8C1C B90B FBC3 A3A1 C71A 8E70 3F8C 75B8 8FFB DB9B 8C1C Philip M. Gollucci (pgollu...@p6m7g8.com) c: 703.336.9354 Consultant - P6M7G8 Inc.http://p6m7g8.net Senior Sys Admin- RideCharge, Inc. http://ridecharge.com Contractor - PositiveEnergyUSA http://positiveenergyusa.com ASF Member - Apache Software Foundation http://apache.org FreeBSD Committer - FreeBSD Foundation http://freebsd.org Work like you don't need the money, love like you'll never get hurt, and dance like nobody's watching.
Re: 2.2.12 ?
On Mon, Apr 20, 2009 at 2:36 PM, Philip M. Gollucci pgollu...@p6m7g8.comwrote: Hi, I count ~24 changes since 2.2.11 and at least 2 of which I've been asked to plop directly in freebsd ports tree. That tells me its time. I know I haven't done it before, but I might consider being the RM if everyone else is ENOTIME. Thoughts? +1
Re: SNI in 2.2.x (Re: Time for 2.2.10?)
Ruediger Pluem wrote: Looks good. Some minor nitpicks: Reviewing the code again I don't think we need to have +#ifndef OPENSSL_NO_TLSEXT + !(SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name)) +#endif this condition at all. Agreed. I have removed this part from the if expression. 2. The whole +if ((r-server != sslconn-server) + renegotiate + (verify SSL_VERIFY_FAIL_IF_NO_PEER_CERT) +#ifndef OPENSSL_NO_TLSEXT + !(SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name)) +#endif +) can move inside the if block above ( +if ((dc-nVerifyClient != SSL_CVERIFY_UNSET) || +(sc-server-auth.verify_mode != SSL_CVERIFY_UNSET)) { ) because only if get inside this block it can happen that verify SSL_VERIFY_FAIL_IF_NO_PEER_CERT gets true. So we safe some checks in the case that ((dc-nVerifyClient != SSL_CVERIFY_UNSET) || (sc-server-auth.verify_mode != SSL_CVERIFY_UNSET)) is not true that will always fail and thus waste cycles even more so as there are many SSL configurations outside that do not use client certs at all. This also means we can move the initialization of verify back into the if block. Correct, changed accordingly. Furthermore I think that we need to check for CA list change in any case that we need to renegotiate as even if we do not fail on SSL level due to SSL_VERIFY_FAIL_IF_NO_PEER_CERT there could be other conditions later on in the configuration (sslrequire / rewriterules) that check if we had been successful with our check on SSL level to e.g. provide a nice error page if we were not. So if we have changed the CA list we might signal success to these downstream configuration options although there wasn't one because we used the wrong CA list. Here I'm not sure I'm really following you / understanding your point. The case I was primarily thinking of is something like VirtualHost foo.example.com:443 SSLVerifyClient none # (the default, anyway) /VirtualHost VirtualHost bar.example.com:443 SSLVerifyClient optional SSLCACertificateFile bar-clientauth-bundle.pem /VirtualHost In this situation, if a non-SNI client requests content from bar.example.com, the renegotiate variable will get set, but since verify SSL_VERIFY_FAIL_IF_NO_PEER_CERT is not true, we will currently let it proceed. Are you proposing to return HTTP_FORBIDDEN immediately after the MODSSL_CFG_CA_NE checks fail, instead (i.e., even if SSLVerifyClient is optional)? My idea when writing that code was that unless SSLVerifyClient is set to require, we should not stop non-SNI clients here - the evaluation of a possible SSLRequire configuration directive at the end of ssl_hook_Access can still return HTTP_FORBIDDEN, if really needed (OTOH, why exactly would the admin choose optional, then?). But maybe I'm simply missing your real point. What I had to do anyway, however, is setting r-connection-aborted before returning HTTP_FORBIDDEN... otherwise we run into a problem with keep-alive requests, as additional testing has shown: if we don't drop the connection at the same time (by setting r-connection-aborted), then verify_old keeps its value from the previous request, and renegotiate may therefore not be set again when processing the next request (if verify == verify_old). Using r-connection-aborted for closing the connection immediately is also used in code further down in ssl_hook_Access (when a renegotiation doesn't have the expected outcome) - i.e., we're not introducing new behavior by using this technique. 3. I created a var handshakeserver to avoid the dereferencing of sslconn-server over and over again but this might be only a minor issue. Fine with me - let me know if v8 includes the changes you had in mind. Kaspar Index: httpd-trunk/modules/ssl/ssl_engine_kernel.c === --- httpd-trunk/modules/ssl/ssl_engine_kernel.c (revision 765079) +++ httpd-trunk/modules/ssl/ssl_engine_kernel.c (working copy) @@ -186,16 +186,6 @@ int ssl_hook_ReadReq(request_rec *r) return HTTP_BAD_REQUEST; } } -else if (r-connection-vhost_lookup_data) { -/* - * We are using a name based configuration here, but no hostname was - * provided via SNI. Don't allow that. - */ -ap_log_error(APLOG_MARK, APLOG_ERR, 0, r-server, - No hostname was provided via SNI for a name based - virtual host); -return HTTP_FORBIDDEN; -} #endif SSL_set_app_data2(ssl, r); @@ -265,10 +255,11 @@ static void ssl_configure_env(request_rec *r, SSLC */ int ssl_hook_Access(request_rec *r) { -SSLDirConfigRec *dc = myDirConfig(r); -SSLSrvConfigRec *sc = mySrvConfig(r-server); -SSLConnRec *sslconn = myConnConfig(r-connection); -SSL *ssl= sslconn ? sslconn-ssl : NULL; +SSLDirConfigRec *dc