- sync with rawhide, rebuild for remi repo

- add -DDFCGI_DUMP_ENV_VARS -DFCGI_DUMP_HEADERS

5 files changed, 280 insertions, 3 deletions

diff --git a/httpd-2.4.3-apctl-systemd.patch b/httpd-2.4.3-apctl-systemd.patch
index bcb57fe..5823aee 100644
--- a/httpd-2.4.3-apctl-systemd.patch
+++ b/httpd-2.4.3-apctl-systemd.patch
@@ -24,7 +24,7 @@ index c6ac3ea..2599386 100644
 +    ERROR=$?
 +    ;;
 +graceful)
-+    /usr/bin/systemctl restart httpd.service
++    /usr/bin/systemctl reload httpd.service
 +    ERROR=$?
 +    ;;
 +graceful-stop)
diff --git a/httpd-2.4.3-sslsninotreq.patch b/httpd-2.4.3-sslsninotreq.patch
new file mode 100644
index 0000000..6e158c6
--- /dev/null
+++ b/httpd-2.4.3-sslsninotreq.patch
@@ -0,0 +1,83 @@
+diff --git a/modules/ssl/ssl_engine_config.c b/modules/ssl/ssl_engine_config.c
+index 15993f1..53ed6f1 100644
+--- a/modules/ssl/ssl_engine_config.c
++++ b/modules/ssl/ssl_engine_config.c
+@@ -55,6 +55,7 @@ SSLModConfigRec *ssl_config_global_create(server_rec *s)
+     mc = (SSLModConfigRec *)apr_palloc(pool, sizeof(*mc));
+     mc->pPool = pool;
+     mc->bFixed = FALSE;
++    mc->sni_required = FALSE;
+ 
+     /*
+      * initialize per-module configuration
+diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c
+index bf1f0e4..a7523de 100644
+--- a/modules/ssl/ssl_engine_init.c
++++ b/modules/ssl/ssl_engine_init.c
+@@ -409,7 +409,7 @@ int ssl_init_Module(apr_pool_t *p, apr_pool_t *plog,
+     /*
+      * Configuration consistency checks
+      */
+-    ssl_init_CheckServers(base_server, ptemp);
++    ssl_init_CheckServers(mc, base_server, ptemp);
+ 
+     /*
+      *  Announce mod_ssl and SSL library in HTTP Server field
+@@ -1475,7 +1475,7 @@ void ssl_init_ConfigureServer(server_rec *s,
+     }
+ }
+ 
+-void ssl_init_CheckServers(server_rec *base_server, apr_pool_t *p)
++void ssl_init_CheckServers(SSLModConfigRec *mc, server_rec *base_server, apr_pool_t *p)
+ {
+     server_rec *s, *ps;
+     SSLSrvConfigRec *sc;
+@@ -1557,6 +1557,7 @@ void ssl_init_CheckServers(server_rec *base_server, apr_pool_t *p)
+     }
+ 
+     if (conflict) {
++        mc->sni_required = TRUE;
+ #ifdef OPENSSL_NO_TLSEXT
+         ap_log_error(APLOG_MARK, APLOG_WARNING, 0, base_server, APLOGNO(01917)
+                      "Init: You should not use name-based "
+diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c
+index bc9e26b..2460f01 100644
+--- a/modules/ssl/ssl_engine_kernel.c
++++ b/modules/ssl/ssl_engine_kernel.c
+@@ -164,6 +164,7 @@ int ssl_hook_ReadReq(request_rec *r)
+         return DECLINED;
+     }
+ #ifndef OPENSSL_NO_TLSEXT
++    if (myModConfig(r->server)->sni_required) {
+     if ((servername = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name))) {
+         char *host, *scope_id;
+         apr_port_t port;
+@@ -206,6 +207,7 @@ int ssl_hook_ReadReq(request_rec *r)
+                      " virtual host");
+         return HTTP_FORBIDDEN;
+     }
++    }
+ #endif
+     SSL_set_app_data2(ssl, r);
+ 
+diff --git a/modules/ssl/ssl_private.h b/modules/ssl/ssl_private.h
+index 75fc0e3..31dbfa9 100644
+--- a/modules/ssl/ssl_private.h
++++ b/modules/ssl/ssl_private.h
+@@ -554,6 +554,7 @@ typedef struct {
+     struct {
+         void *pV1, *pV2, *pV3, *pV4, *pV5, *pV6, *pV7, *pV8, *pV9, *pV10;
+     } rCtx;
++    BOOL            sni_required;
+ } SSLModConfigRec;
+ 
+ /** Structure representing configured filenames for certs and keys for
+@@ -786,7 +787,7 @@ const char *ssl_cmd_SSLFIPS(cmd_parms *cmd, void *dcfg, int flag);
+ int          ssl_init_Module(apr_pool_t *, apr_pool_t *, apr_pool_t *, server_rec *);
+ void         ssl_init_Engine(server_rec *, apr_pool_t *);
+ void         ssl_init_ConfigureServer(server_rec *, apr_pool_t *, apr_pool_t *, SSLSrvConfigRec *);
+-void         ssl_init_CheckServers(server_rec *, apr_pool_t *);
++void         ssl_init_CheckServers(SSLModConfigRec *mc, server_rec *, apr_pool_t *);
+ STACK_OF(X509_NAME)
+             *ssl_init_FindCAList(server_rec *, apr_pool_t *, const char *, const char *);
+ void         ssl_init_Child(apr_pool_t *, server_rec *);
diff --git a/httpd-2.4.4-cachehardmax.patch b/httpd-2.4.4-cachehardmax.patch
new file mode 100644
index 0000000..de360ce
--- /dev/null
+++ b/httpd-2.4.4-cachehardmax.patch
@@ -0,0 +1,82 @@
+diff --git a/modules/cache/cache_util.h b/modules/cache/cache_util.h
+index eec38f3..1a2d5ee 100644
+--- a/modules/cache/cache_util.h
++++ b/modules/cache/cache_util.h
+@@ -194,6 +194,9 @@ typedef struct {
+     unsigned int store_nostore_set:1;
+     unsigned int enable_set:1;
+     unsigned int disable_set:1;
++    /* treat maxex as hard limit */
++    unsigned int hardmaxex:1;
++    unsigned int hardmaxex_set:1;
+ } cache_dir_conf;
+ 
+ /* A linked-list of authn providers. */
+diff --git a/modules/cache/mod_cache.c b/modules/cache/mod_cache.c
+index 4f2d3e0..30c88f4 100644
+--- a/modules/cache/mod_cache.c
++++ b/modules/cache/mod_cache.c
+@@ -1299,6 +1299,11 @@ static apr_status_t cache_save_filter(ap_filter_t *f, apr_bucket_brigade *in)
+             exp = date + dconf->defex;
+         }
+     }
++    /* else, forcibly cap the expiry date if required */
++    else if (dconf->hardmaxex && (date + dconf->maxex) < exp) {
++        exp = date + dconf->maxex;
++    }        
++
+     info->expire = exp;
+ 
+     /* We found a stale entry which wasn't really stale. */
+@@ -1717,7 +1722,9 @@ static void *create_dir_config(apr_pool_t *p, char *dummy)
+ 
+     /* array of providers for this URL space */
+     dconf->cacheenable = apr_array_make(p, 10, sizeof(struct cache_enable));
+-
++    /* flag; treat maxex as hard limit */
++    dconf->hardmaxex = 0;
++    dconf->hardmaxex_set = 0;
+     return dconf;
+ }
+ 
+@@ -1767,7 +1774,10 @@ static void *merge_dir_config(apr_pool_t *p, void *basev, void *addv) {
+     new->enable_set = add->enable_set || base->enable_set;
+     new->disable = (add->disable_set == 0) ? base->disable : add->disable;
+     new->disable_set = add->disable_set || base->disable_set;
+-
++    new->hardmaxex = 
++        (add->hardmaxex_set == 0)
++        ? base->hardmaxex
++        : add->hardmaxex;
+     return new;
+ }
+ 
+@@ -2096,12 +2106,18 @@ static const char *add_cache_disable(cmd_parms *parms, void *dummy,
+ }
+ 
+ static const char *set_cache_maxex(cmd_parms *parms, void *dummy,
+-                                   const char *arg)
++                                   const char *arg, const char *hard)
+ {
+     cache_dir_conf *dconf = (cache_dir_conf *)dummy;
+ 
+     dconf->maxex = (apr_time_t) (atol(arg) * MSEC_ONE_SEC);
+     dconf->maxex_set = 1;
++    
++    if (hard && strcasecmp(hard, "hard") == 0) {
++        dconf->hardmaxex = 1;
++        dconf->hardmaxex_set = 1;
++    }
++
+     return NULL;
+ }
+ 
+@@ -2309,7 +2325,7 @@ static const command_rec cache_cmds[] =
+                    "caching is enabled"),
+     AP_INIT_TAKE1("CacheDisable", add_cache_disable, NULL, RSRC_CONF|ACCESS_CONF,
+                   "A partial URL prefix below which caching is disabled"),
+-    AP_INIT_TAKE1("CacheMaxExpire", set_cache_maxex, NULL, RSRC_CONF|ACCESS_CONF,
++    AP_INIT_TAKE12("CacheMaxExpire", set_cache_maxex, NULL, RSRC_CONF|ACCESS_CONF,
+                   "The maximum time in seconds to cache a document"),
+     AP_INIT_TAKE1("CacheMinExpire", set_cache_minex, NULL, RSRC_CONF|ACCESS_CONF,
+                   "The minimum time in seconds to cache a document"),
diff --git a/httpd-2.4.4-sslmultiproxy.patch b/httpd-2.4.4-sslmultiproxy.patch
new file mode 100644
index 0000000..7b912a0
--- /dev/null
+++ b/httpd-2.4.4-sslmultiproxy.patch
@@ -0,0 +1,95 @@
+diff --git a/modules/ssl/mod_ssl.c b/modules/ssl/mod_ssl.c
+index 6ea367c..3cbd08f 100644
+--- a/modules/ssl/mod_ssl.c
++++ b/modules/ssl/mod_ssl.c
+@@ -378,6 +378,9 @@ static SSLConnRec *ssl_init_connection_ctx(conn_rec *c)
+     return sslconn;
+ }
+ 
++static typeof(ssl_proxy_enable) *othermod_proxy_enable;
++static typeof(ssl_engine_disable) *othermod_engine_disable;
++
+ int ssl_proxy_enable(conn_rec *c)
+ {
+     SSLSrvConfigRec *sc;
+@@ -386,6 +389,12 @@ int ssl_proxy_enable(conn_rec *c)
+     sc = mySrvConfig(sslconn->server);
+ 
+     if (!sc->proxy_enabled) {
++        if (othermod_proxy_enable) {
++            ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c,
++                          "mod_ssl proxy not configured, passing through to other module.");
++            return othermod_proxy_enable(c);
++        }
++
+         ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, APLOGNO(01961)
+                       "SSL Proxy requested for %s but not enabled "
+                       "[Hint: SSLProxyEngine]", sc->vhost_id);
+@@ -405,6 +414,10 @@ int ssl_engine_disable(conn_rec *c)
+ 
+     SSLConnRec *sslconn = myConnConfig(c);
+ 
++    if (othermod_engine_disable) {
++        othermod_engine_disable(c);
++    }
++
+     if (sslconn) {
+         sc = mySrvConfig(sslconn->server);
+     }
+@@ -590,6 +603,9 @@ static void ssl_register_hooks(apr_pool_t *p)
+     ap_hook_post_read_request(ssl_hook_ReadReq, pre_prr,NULL, APR_HOOK_MIDDLE);
+ 
+     ssl_var_register(p);
++    
++    othermod_proxy_enable = APR_RETRIEVE_OPTIONAL_FN(ssl_proxy_enable);
++    othermod_engine_disable = APR_RETRIEVE_OPTIONAL_FN(ssl_engine_disable);
+ 
+     APR_REGISTER_OPTIONAL_FN(ssl_proxy_enable);
+     APR_REGISTER_OPTIONAL_FN(ssl_engine_disable);
+diff --git a/modules/ssl/ssl_engine_vars.c b/modules/ssl/ssl_engine_vars.c
+index 536e6b1..c508fff 100644
+--- a/modules/ssl/ssl_engine_vars.c
++++ b/modules/ssl/ssl_engine_vars.c
+@@ -53,10 +53,15 @@ static void  ssl_var_lookup_ssl_cipher_bits(SSL *ssl, int *usekeysize, int *algk
+ static char *ssl_var_lookup_ssl_version(apr_pool_t *p, char *var);
+ static char *ssl_var_lookup_ssl_compress_meth(SSL *ssl);
+ 
++static APR_OPTIONAL_FN_TYPE(ssl_is_https) *othermod_is_https;
++static APR_OPTIONAL_FN_TYPE(ssl_var_lookup) *othermod_var_lookup;
++
+ static int ssl_is_https(conn_rec *c)
+ {
+     SSLConnRec *sslconn = myConnConfig(c);
+-    return sslconn && sslconn->ssl;
++    
++    return (sslconn && sslconn->ssl)
++        || (othermod_is_https && othermod_is_https(c));
+ }
+ 
+ static const char var_interface[] = "mod_ssl/" AP_SERVER_BASEREVISION;
+@@ -106,6 +111,9 @@ void ssl_var_register(apr_pool_t *p)
+ {
+     char *cp, *cp2;
+ 
++    othermod_is_https = APR_RETRIEVE_OPTIONAL_FN(ssl_is_https);
++    othermod_var_lookup = APR_RETRIEVE_OPTIONAL_FN(ssl_var_lookup);
++
+     APR_REGISTER_OPTIONAL_FN(ssl_is_https);
+     APR_REGISTER_OPTIONAL_FN(ssl_var_lookup);
+     APR_REGISTER_OPTIONAL_FN(ssl_ext_list);
+@@ -241,6 +249,15 @@ char *ssl_var_lookup(apr_pool_t *p, server_rec *s, conn_rec *c, request_rec *r,
+      */
+     if (result == NULL && c != NULL) {
+         SSLConnRec *sslconn = myConnConfig(c);
++
++        if (strlen(var) > 4 && strcEQn(var, "SSL_", 4)
++            && (!sslconn || !sslconn->ssl) && othermod_var_lookup) {
++            /* For an SSL_* variable, if mod_ssl is not enabled for
++             * this connection and another SSL module is present, pass
++             * through to that module. */
++            return othermod_var_lookup(p, s, c, r, var);
++        }
++
+         if (strlen(var) > 4 && strcEQn(var, "SSL_", 4)
+             && sslconn && sslconn->ssl)
+             result = ssl_var_lookup_ssl(p, c, r, var+4);
diff --git a/httpd.spec b/httpd.spec
index da15cb6..71fe641 100644
--- a/httpd.spec
+++ b/httpd.spec
@@ -14,7 +14,7 @@
 Summary: Apache HTTP Server
 Name: httpd
 Version: 2.4.4
-Release: 4%{?dist}
+Release: 5%{?dist}
 URL: http://httpd.apache.org/
 Source0: http://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2
 Source1: index.html
@@ -59,8 +59,11 @@ Patch26: httpd-2.4.4-r1337344+.patch
 Patch27: httpd-2.4.2-icons.patch
 Patch28: httpd-2.4.4-r1332643+.patch
 Patch29: httpd-2.4.3-mod_systemd.patch
+Patch30: httpd-2.4.4-cachehardmax.patch
+Patch31: httpd-2.4.4-sslmultiproxy.patch
 # Bug fixes
 Patch50: httpd-2.4.2-r1374214+.patch
+Patch51: httpd-2.4.3-sslsninotreq.patch
 License: ASL 2.0
 Group: System Environment/Daemons
 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
@@ -180,8 +183,11 @@ interface for storing and accessing per-user session data.
 %patch27 -p1 -b .icons
 %patch28 -p1 -b .r1332643+
 %patch29 -p1 -b .systemd
+%patch30 -p1 -b .cachehardmax
+%patch31 -p1 -b .sslmulti
 
 %patch50 -p1 -b .r1374214+
+%patch51 -p1 -b .sninotreq
 
 # Patch in the vendor string
 sed -i '/^#define PLATFORM/s/Unix/%{vstring}/' os/unix/os.h
@@ -210,7 +216,7 @@ autoheader && autoconf || exit 1
 %{__perl} -pi -e "s:\@exp_installbuilddir\@:%{_libdir}/httpd/build:g" \
 	support/apxs.in
 
-export CFLAGS=$RPM_OPT_FLAGS
+export CFLAGS="$RPM_OPT_FLAGS -DFCGI_DUMP_ENV_VARS -DFCGI_DUMP_HEADERS"
 export LDFLAGS="-Wl,-z,relro,-z,now"
 
 # Hard-code path to links to avoid unnecessary builddep
@@ -626,6 +632,17 @@ rm -rf $RPM_BUILD_ROOT
 %{_sysconfdir}/rpm/macros.httpd
 
 %changelog
+* Mon Apr 29 2013 Remi Collet <RPMS@FamilleCollet.com> - 2.4.4-5
+- sync with rawhide, rebuild for remi repo
+- add -DDFCGI_DUMP_ENV_VARS -DFCGI_DUMP_HEADERS
+
+* Thu Apr 18 2013 Jan Kaluza <jkaluza@redhat.com> - 2.4.4-5
+- execute systemctl reload as result of apachectl graceful
+- mod_ssl: ignore SNI hints unless required by config
+- mod_cache: forward-port CacheMaxExpire "hard" option
+- mod_ssl: fall back on another module's proxy hook if mod_ssl proxy
+  is not configured.
+
 * Tue Apr 16 2013 Remi Collet <RPMS@FamilleCollet.com> - 2.4.4-4
 - sync with rawhide, rebuild for remi repo