Merge branch 'apache:trunk' into trunk

samkenxstream · Jul 20, 2023 · 22bb839 · 22bb839
2 parents e335ddf + bc8431b
commit 22bb839
Show file tree

Hide file tree

Showing 23 changed files with 853 additions and 127 deletions.
diff --git a/changes-entries/alias-preserve-path.txt b/changes-entries/alias-preserve-path.txt
@@ -0,0 +1,3 @@
+  *) mod_alias: Add AliasPreservePath directive to map the full
+     path after the alias in a location. [Graham Leggett]
+
diff --git a/changes-entries/md_v2.4.23.txt b/changes-entries/md_v2.4.23.txt
@@ -0,0 +1,14 @@
+ * mod_md:
+   - New directive `MDMatchNames all|servernames` to allow more control over how
+     MDomains are matched to VirtualHosts.
+   - New directive `MDChallengeDns01Version`. Setting this to `2` will provide
+     the command also with the challenge value on `teardown` invocation. In version
+     1, the default, only the `setup` invocation gets this parameter.
+     Refs #312. Thanks to @domrim for the idea.
+   - For Managed Domain in "manual" mode, the checks if all used ServerName and
+     ServerAlias are part of the MDomain now reports a warning instead of an error
+     (AH10040) when not all names are present.
+   - MDChallengeDns01 can now be configured for individual domains.
+     Using PR from Jérôme Billiras (@bilhackmac) and adding test case and fixing proper working
+   - Fixed a bug found by Jérôme Billiras (@bilhackmac) that caused the challenge
+     teardown not being invoked as it should.
diff --git a/docs/log-message-tags/next-number b/docs/log-message-tags/next-number
@@ -1 +1 @@
-10473
+10474
diff --git a/docs/manual/mod/mod_alias.xml b/docs/manual/mod/mod_alias.xml
@@ -194,6 +194,24 @@ Alias "/image" "/ftp/pub/image"
 &lt;/LocationMatch&gt;
     </highlight>
 
+    <p>Note that when the <directive>AliasPreservePath</directive>
+    directive is on, the full path is mapped to the destination. When
+    the directive is off, all URLs are mapped to the single target
+    URL.</p>
+
+    <highlight language="config">
+# /files/foo and /files/bar mapped to /ftp/pub/files/foo and /ftp/pub/files/bar
+&lt;Location "/files"&gt;
+    AliasPreservePath on
+    Alias "/ftp/pub/files"
+&lt;/Location&gt;
+# /errors/foo and /errors/bar mapped to /var/www/errors.html
+&lt;Location "/errors"&gt;
+    AliasPreservePath off
+    Alias "/var/www/errors.html"
+&lt;/Location&gt;
+    </highlight>
+
 </usage>
 </directivesynopsis>
 
@@ -641,5 +659,30 @@ ScriptAliasMatch "(?i)^/cgi-bin(.*)" "/usr/local/apache/cgi-bin$1"
 </usage>
 </directivesynopsis>
 
+<directivesynopsis>
+<name>AliasPreservePath</name>
+<description>Map the full path after the alias in a location.</description>
+<syntax>AliasPreservePath OFF|ON</syntax>
+<default>AliasPreservePath OFF</default>
+<contextlist><context>server config</context><context>virtual host</context>
+<context>directory</context>
+</contextlist>
+<compatibility>2.5.1 and later</compatibility>
+
+<usage>
+    <p>When using the two parameter version of the
+    <directive>Alias</directive> directive, the full path after the alias
+    is preserved. When using the one parameter version of the
+    <directive>Alias</directive> directive inside a
+    <directive>Location</directive> directive, the full path is dropped,
+    and all URLs are mapped to the target expression.</p>
+
+    <p>To make the one parameter version of the
+    <directive>Alias</directive> directive preserve paths in the same way
+    that the two parameter version of the <directive>Alias</directive>
+    directive, enable this setting.</p>
+
+</usage>
+</directivesynopsis>
 
 </modulesynopsis>
diff --git a/docs/manual/mod/mod_md.xml b/docs/manual/mod/mod_md.xml
@@ -1033,7 +1033,9 @@ MDRequireHttps permanent
             <p>
                 Define a program to be called when the `dns-01` challenge needs to be setup/torn down. 
                 The program is given the argument `setup` or `teardown` followed by the domain name. 
-                For `setup` the challenge content is additionally given.
+                For `setup` the challenge content is additionally given. When
+                <directive module="mod_md">MDChallengeDns01Version</directive> is set to 2,
+                the `teardown` also gets the challenge content as argument.
             </p><p>
                 You do not need to specify this, as long as a 'http:' or 'https:' challenge
                 method is possible. However, Let's Encrypt makes 'dns-01' the only
@@ -1462,4 +1464,52 @@ MDMessageCmd /etc/apache/md-message
         </usage>
     </directivesynopsis>
 
+    <directivesynopsis>
+        <name>MDChallengeDns01Version</name>
+        <description></description>
+        <syntax>MDChallengeDns01Version 1|2</syntax>
+        <default>MDChallengeDns01Version 1</default>
+        <contextlist>
+            <context>server config</context>
+        </contextlist>
+        <compatibility>Available in version 2.4.58 and later</compatibility>
+        <usage>
+            <p>
+                Set the way MDChallengeDns01 command is invoked, e.g the number and
+                types of arguments. See <directive module="mod_md">MDChallengeDns01</directive>
+                for the differences.
+                This setting is global and cannot be varied per domain.
+            </p>
+        </usage>
+    </directivesynopsis>
+
+    <directivesynopsis>
+        <name>MDMatchNames</name>
+        <description></description>
+        <syntax>MDMatchNames all|servernames</syntax>
+        <default>MDMatchNames all</default>
+        <contextlist>
+            <context>server config</context>
+        </contextlist>
+        <compatibility>Available in version 2.4.58 and later</compatibility>
+        <usage>
+            <p>
+                The mode `all` is the behaviour as in all previous versions. Both ServerName
+                and ServerAlias are inspected to find the MDomain matching a VirtualHost.
+                This automatically detects coverage, even when you only have added
+                one of the names to an MDomain.
+            </p><p>
+                However, this auto-magic has drawbacks in more complex setups. If you set
+                this directive to `servernames`, only the ServerName of a virtual host is
+                used for matching. ServerAliases are disregarded then, for matching.
+                Aliases will still be added to the certificate obtained, unless you also
+                run `MDMembers manual`.
+            </p><p>
+                Another advantage of `servernames` is that it gives you more flexibility
+                with sub-domains and wildcards. You can define one MDomain with a wildcard
+                and have other MDomains for specific sub-domain names.
+            </p>
+        </usage>
+    </directivesynopsis>
+
 </modulesynopsis>
diff --git a/docs/manual/mod/mod_md.xml.fr b/docs/manual/mod/mod_md.xml.fr
@@ -2,7 +2,7 @@
 <!DOCTYPE modulesynopsis SYSTEM "../style/modulesynopsis.dtd">
 <?xml-stylesheet type="text/xsl" href="../style/manual.fr.xsl"?>
 <!-- French translation : Lucien GENTIS -->
-<!-- English Revision: 1908080 -->
+<!-- English Revision: 1910996 -->
 
 <!--
  Licensed to the Apache Software Foundation (ASF) under one or more
@@ -1218,7 +1218,10 @@ MDRequireHttps permanent
 		programme prend respectivement comme arguments "setup" ou
 		"teardown" suivi du nom de domaine. Pour "setup", le programme
 		prend comme argument supplémentaire les données de vérification
-		"dns-01".
+		"dns-01". Lorsque <directive
+		module="mod_md">MDChallengeDns01Version</directive> est définie
+		à 2, `teardown` prend aussi comme argument le contenu de la
+		vérification.
             </p><p>
                 Tant que la méthode de vérification "http:" ou "https:" est
 		valable, vous n'avez pas besoin de définir cette directive.
@@ -1736,4 +1739,61 @@ MDMessageCmd /etc/apache/md-message
         </usage>
     </directivesynopsis>
 
+    <directivesynopsis>
+        <name>MDChallengeDns01Version</name>
+        <description></description>
+        <syntax>MDChallengeDns01Version 1|2</syntax>
+        <default>MDChallengeDns01Version 1</default>
+        <contextlist>
+            <context>server config</context>
+        </contextlist>
+        <compatibility>Disponible à partir de la version 2.4.58 du serveur HTTP
+	Apache</compatibility>
+        <usage>
+            <p>
+                Cette directive permet de définir de quelle manière est invoquée
+		la commande MDChallengeDns01, à savoir le nombre et le type de
+		ses arguments. Voir <directive
+		module="mod_md">MDChallengeDns01</directive> pour les
+		différences.
+		Cette définition est globale et ne peut pas s'appliquer
+		différemment pour chaque domaine.
+            </p>
+        </usage>
+    </directivesynopsis>
+
+    <directivesynopsis>
+        <name>MDMatchNames</name>
+        <description></description>
+        <syntax>MDMatchNames all|servernames</syntax>
+        <default>MDMatchNames all</default>
+        <contextlist>
+            <context>server config</context>
+        </contextlist>
+        <compatibility>Disponible à partir de la version 2.4.58 du serveur HTTP
+	Apache</compatibility>
+        <usage>
+            <p>
+                Le mode `all` correspond au comportement de toutes les versions
+		précédentes. ServerName et ServerAlias sont inspectés pour
+		trouver le MDomain qui correspond à un serveur virtuel. Les
+		recouvrements sont automatiquement détectés, même si vous n'avez
+		ajouté qu'un des noms à un MDomain.
+            </p><p>
+                Cet automatisme présente cependant des inconvénients avec les
+		configurations plus complexes. Si vous définissez cette
+		directive à `servernames`, seul le ServerName d'un serveur
+		virtuel est inspecté pour la correspondance et les ServerAliases
+		sont donc ignorés. Les Aliases seront tout de même ajoutés au
+		certificat obtenu, à moins que vous ne spécifiiez aussi `MDMembers manual`.
+            </p><p>
+                `servernames` possède un autre avantage : il vous confère plus
+		de souplesse avec les sous-domaines et les caractères
+		génériques. Vous pouvez ainsi définir un MDomain avec un
+		caractère générique et avoir d'autres MDomains pour des noms de
+		sous-domaines spécifiques.
+            </p>
+        </usage>
+    </directivesynopsis>    
+
 </modulesynopsis>
diff --git a/modules/mappers/mod_alias.c b/modules/mappers/mod_alias.c
@@ -41,6 +41,8 @@
 #define ALIAS_FLAG_OFF 0
 #define ALIAS_FLAG_ON  1
 
+#define ALIAS_PRESERVE_PATH_DEFAULT 0
+
 typedef struct {
     const char *real;
     const char *fake;
@@ -64,6 +66,7 @@ typedef struct {
     const ap_expr_info_t *redirect;
     int redirect_status;                /* 301, 302, 303, 410, etc */
     int allow_relative;                 /* skip ap_construct_url() */
+    int alias_preserve_path;            /* map full path */
 } alias_dir_conf;
 
 module AP_MODULE_DECLARE_DATA alias_module;
@@ -89,6 +92,7 @@ static void *create_alias_dir_config(apr_pool_t *p, char *d)
     (alias_dir_conf *) apr_pcalloc(p, sizeof(alias_dir_conf));
     a->redirects = apr_array_make(p, 2, sizeof(alias_entry));
     a->allow_relative = ALIAS_FLAG_DEFAULT;
+    a->alias_preserve_path = ALIAS_FLAG_DEFAULT;
     return a;
 }
 
@@ -124,6 +128,10 @@ static void *merge_alias_dir_config(apr_pool_t *p, void *basev, void *overridesv
     a->allow_relative = (overrides->allow_relative != ALIAS_FLAG_DEFAULT)
                                   ? overrides->allow_relative 
                                   : base->allow_relative;
+    a->alias_preserve_path = (overrides->alias_preserve_path != ALIAS_FLAG_DEFAULT)
+                                  ? overrides->alias_preserve_path
+                                  : base->alias_preserve_path;
+
     return a;
 }
 
@@ -443,7 +451,7 @@ static char *try_alias(request_rec *r)
             return PREGSUB_ERROR;
         }
 
-        if (dirconf->alias_fake) {
+        if (dirconf->alias_fake && dirconf->alias_preserve_path == ALIAS_FLAG_ON) {
             int l;
 
             l = alias_matches(r->uri, dirconf->alias_fake);
@@ -764,6 +772,9 @@ static const command_rec alias_cmds[] =
     AP_INIT_FLAG("RedirectRelative", ap_set_flag_slot,
                   (void*)APR_OFFSETOF(alias_dir_conf, allow_relative), OR_FILEINFO,
                   "Set to ON to allow relative redirect targets to be issued as-is"),
+    AP_INIT_FLAG("AliasPreservePath", ap_set_flag_slot,
+                  (void*)APR_OFFSETOF(alias_dir_conf, alias_preserve_path), OR_FILEINFO,
+                  "Set to ON to map the full path after the fakename to the realname."),
 
     {NULL}
 };

diff --git a/modules/md/md.h b/modules/md/md.h
@@ -78,12 +78,7 @@ struct md_t {
     struct apr_array_header_t *domains; /* all DNS names this MD includes */
     struct apr_array_header_t *contacts;   /* list of contact uris, e.g. mailto:xxx */
 
-    int transitive;                 /* != 0 iff VirtualHost names/aliases are auto-added */
-    md_require_t require_https;     /* Iff https: is required for this MD */
-
-    int renew_mode;                 /* mode of obtaining credentials */
     struct md_pkeys_spec_t *pks;    /* specification for generating private keys */
-    int must_staple;                /* certificates should set the OCSP Must Staple extension */
     md_timeslice_t *renew_window;   /* time before expiration that starts renewal */
     md_timeslice_t *warn_window;    /* time before expiration that warnings are sent out */
 
@@ -98,19 +93,23 @@ struct md_t {
     const char *ca_eab_kid;         /* optional KEYID for external account binding */
     const char *ca_eab_hmac;        /* optional HMAC for external account binding */
 
-    md_state_t state;               /* state of this MD */
     const char *state_descr;        /* description of state of NULL */
 
     struct apr_array_header_t *acme_tls_1_domains; /* domains supporting "acme-tls/1" protocol */
-    int stapling;                   /* if OCSP stapling is enabled */
     const char *dns01_cmd;          /* DNS challenge command, override global command */
 
-    int watched;               /* if certificate is supervised (renew or expiration warning) */
     const struct md_srv_conf_t *sc; /* server config where it was defined or NULL */
     const char *defn_name;          /* config file this MD was defined */
     unsigned defn_line_number;      /* line number of definition */
-
     const char *configured_name;    /* name this MD was configured with, if different */
+
+    int renew_mode;                 /* mode of obtaining credentials */
+    md_require_t require_https;     /* Iff https: is required for this MD */
+    md_state_t state;               /* state of this MD */
+    int transitive;                 /* != 0 iff VirtualHost names/aliases are auto-added */
+    int must_staple;                /* certificates should set the OCSP Must Staple extension */
+    int stapling;                   /* if OCSP stapling is enabled */
+    int watched;                    /* if certificate is supervised (renew or expiration warning) */
 };
 
 #define MD_KEY_ACCOUNT          "account"
@@ -128,6 +127,7 @@ struct md_t {
 #define MD_KEY_CHALLENGE        "challenge"
 #define MD_KEY_CHALLENGES       "challenges"
 #define MD_KEY_CMD_DNS01        "cmd-dns-01"
+#define MD_KEY_DNS01_VERSION    "cmd-dns-01-version"
 #define MD_KEY_COMPLETE         "complete"
 #define MD_KEY_CONTACT          "contact"
 #define MD_KEY_CONTACTS         "contacts"