public inbox for gentoo-commits@lists.gentoo.org
 help / color / mirror / Atom feed
* [gentoo-commits] repo/gentoo:master commit in: www-servers/apache/, www-servers/apache/files/
@ 2018-04-20  3:11 Aaron Bauman
  0 siblings, 0 replies; 15+ messages in thread
From: Aaron Bauman @ 2018-04-20  3:11 UTC (permalink / raw
  To: gentoo-commits

commit:     10b3011a4085229faa82e2a1512a233d86bc5e80
Author:     Aaron Bauman <bman <AT> gentoo <DOT> org>
AuthorDate: Fri Apr 20 03:11:08 2018 +0000
Commit:     Aaron Bauman <bman <AT> gentoo <DOT> org>
CommitDate: Fri Apr 20 03:11:08 2018 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=10b3011a

www-servers/apache: compatibility patch for LibreSSL

This patch fixes building dev-libs/libressl and is based on the upstream
Git commit 8134addfabf2685e08da6d51167775b628fda0dc.

Closes: https://bugs.gentoo.org/651312
Package-Manager: Portage-2.3.31, Repoman-2.3.9

 www-servers/apache/apache-2.4.33.ebuild            |  5 ++
 .../apache-2.4.33-libressl-compatibility.patch     | 97 ++++++++++++++++++++++
 2 files changed, 102 insertions(+)

diff --git a/www-servers/apache/apache-2.4.33.ebuild b/www-servers/apache/apache-2.4.33.ebuild
index 6ec7fdfb67e..54ecf1cb053 100644
--- a/www-servers/apache/apache-2.4.33.ebuild
+++ b/www-servers/apache/apache-2.4.33.ebuild
@@ -141,6 +141,11 @@ RDEPEND+="${CDEPEND}"
 
 REQUIRED_USE="apache2_modules_http2? ( ssl )"
 
+PATCHES=(
+	# this *should* be included from upstream in the next release as it is currently in Git head
+	"${FILESDIR}/${P}-libressl-compatibility.patch"
+)
+
 pkg_setup() {
 	# dependend critical modules which are not allowed in global scope due
 	# to USE flag conditionals (bug #499260)

diff --git a/www-servers/apache/files/apache-2.4.33-libressl-compatibility.patch b/www-servers/apache/files/apache-2.4.33-libressl-compatibility.patch
new file mode 100644
index 00000000000..97d33468e19
--- /dev/null
+++ b/www-servers/apache/files/apache-2.4.33-libressl-compatibility.patch
@@ -0,0 +1,97 @@
+# based on upstream commit from:
+# https://github.com/apache/httpd/commit/8134addfabf2685e08da6d51167775b628fda0dc
+# this should be included in the next release (2.4.34?)
+
+diff --git a/modules/md/md_crypt.c b/modules/md/md_crypt.c
+index 66682eaf4d..8f0def2805 100644
+--- a/modules/md/md_crypt.c
++++ b/modules/md/md_crypt.c
+@@ -190,7 +190,7 @@ static int pem_passwd(char *buf, int size, int rwflag, void *baton)
+  */
+ static apr_time_t md_asn1_time_get(const ASN1_TIME* time)
+ {
+-#ifdef LIBRESSL_VERSION_NUMBER
++#ifdef LIBRESSL_VERSION_NUMBER < 0x10002000L || defined(LIBRESSL_VERSION_NUMBER)
+     /* courtesy: https://stackoverflow.com/questions/10975542/asn1-time-to-time-t-conversion#11263731
+      * all bugs are mine */
+     apr_time_exp_t t;
+@@ -471,7 +471,7 @@ apr_status_t md_pkey_gen(md_pkey_t **ppkey, apr_pool_t *p, md_pkey_spec_t *spec)
+     }
+ }
+ 
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x2070000f)
+ 
+ #ifndef NID_tlsfeature
+ #define NID_tlsfeature          1020
+diff --git a/modules/ssl/mod_ssl.c b/modules/ssl/mod_ssl.c
+index 48d64cb624..2392019aed 100644
+--- a/modules/ssl/mod_ssl.c
++++ b/modules/ssl/mod_ssl.c
+@@ -398,7 +398,7 @@ static int ssl_hook_pre_config(apr_pool_t *pconf,
+     /* We must register the library in full, to ensure our configuration
+      * code can successfully test the SSL environment.
+      */
+-#if MODSSL_USE_OPENSSL_PRE_1_1_API
++#if MODSSL_USE_OPENSSL_PRE_1_1_API || defined(LIBRESSL_VERSION_NUMBER)
+     (void)CRYPTO_malloc_init();
+ #else
+     OPENSSL_malloc_init();
+diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c
+index a3a74f474c..88c0939cab 100644
+--- a/modules/ssl/ssl_engine_init.c
++++ b/modules/ssl/ssl_engine_init.c
+@@ -546,7 +546,8 @@ static apr_status_t ssl_init_ctx_protocol(server_rec *s,
+     char *cp;
+     int protocol = mctx->protocol;
+     SSLSrvConfigRec *sc = mySrvConfig(s);
+-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L || \
++	(defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x20800000L)
+     int prot;
+ #endif
+ 
+@@ -616,7 +617,8 @@ static apr_status_t ssl_init_ctx_protocol(server_rec *s,
+ 
+     SSL_CTX_set_options(ctx, SSL_OP_ALL);
+ 
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if OPENSSL_VERSION_NUMBER < 0x10100000L || \
++	(defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x20800000L)
+     /* always disable SSLv2, as per RFC 6176 */
+     SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2);
+ 
+diff --git a/modules/ssl/ssl_private.h b/modules/ssl/ssl_private.h
+index a39569cbf7..e0e1b37087 100644
+--- a/modules/ssl/ssl_private.h
++++ b/modules/ssl/ssl_private.h
+@@ -132,13 +132,14 @@
+         SSL_CTX_ctrl(ctx, SSL_CTRL_SET_MIN_PROTO_VERSION, version, NULL)
+ #define SSL_CTX_set_max_proto_version(ctx, version) \
+         SSL_CTX_ctrl(ctx, SSL_CTRL_SET_MAX_PROTO_VERSION, version, NULL)
+-#endif
+-/* LibreSSL declares OPENSSL_VERSION_NUMBER == 2.0 but does not include most
+- * changes from OpenSSL >= 1.1 (new functions, macros, deprecations, ...), so
+- * we have to work around this...
++#elif LIBRESSL_VERSION_NUMBER < 0x2070000f
++/* LibreSSL before 2.7 declares OPENSSL_VERSION_NUMBER == 2.0 but does not
++ * include most changes from OpenSSL >= 1.1 (new functions, macros, 
++ * deprecations, ...), so we have to work around this...
+  */
+ #define MODSSL_USE_OPENSSL_PRE_1_1_API (1)
+-#else
++#endif /* LIBRESSL_VERSION_NUMBER < 0x2060000f */
++#else /* defined(LIBRESSL_VERSION_NUMBER) */
+ #define MODSSL_USE_OPENSSL_PRE_1_1_API (OPENSSL_VERSION_NUMBER < 0x10100000L)
+ #endif
+ 
+@@ -238,7 +239,8 @@ void init_bio_methods(void);
+ void free_bio_methods(void);
+ #endif
+ 
+-#if OPENSSL_VERSION_NUMBER < 0x10002000L || defined(LIBRESSL_VERSION_NUMBER)
++#if OPENSSL_VERSION_NUMBER < 0x10002000L || \
++	(defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x2070000f)
+ #define X509_STORE_CTX_get0_store(x) (x->ctx)
+ #endif
+ 


^ permalink raw reply related	[flat|nested] 15+ messages in thread
* [gentoo-commits] repo/gentoo:master commit in: www-servers/apache/, www-servers/apache/files/
@ 2024-05-11  6:21 Hans de Graaff
  0 siblings, 0 replies; 15+ messages in thread
From: Hans de Graaff @ 2024-05-11  6:21 UTC (permalink / raw
  To: gentoo-commits

commit:     c5353958548b881dcc526a0ed8ce3013dddd4df1
Author:     Hans de Graaff <graaff <AT> gentoo <DOT> org>
AuthorDate: Sat May 11 06:16:51 2024 +0000
Commit:     Hans de Graaff <graaff <AT> gentoo <DOT> org>
CommitDate: Sat May 11 06:21:00 2024 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c5353958

www-servers/apache: fix compatibility with rustls-0.13.0

Closes: https://bugs.gentoo.org/928046
Signed-off-by: Hans de Graaff <graaff <AT> gentoo.org>

 www-servers/apache/apache-2.4.59-r2.ebuild         | 259 ++++++++++
 .../apache/files/apache-2.4.59-rustls-0.13.0.patch | 544 +++++++++++++++++++++
 2 files changed, 803 insertions(+)

diff --git a/www-servers/apache/apache-2.4.59-r2.ebuild b/www-servers/apache/apache-2.4.59-r2.ebuild
new file mode 100644
index 000000000000..9da48f31fb38
--- /dev/null
+++ b/www-servers/apache/apache-2.4.59-r2.ebuild
@@ -0,0 +1,259 @@
+# Copyright 1999-2024 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=7
+
+# latest gentoo apache files
+GENTOO_PATCHSTAMP="20240405"
+GENTOO_DEVELOPER="graaff"
+GENTOO_PATCHNAME="gentoo-apache-2.4.59"
+
+# IUSE/USE_EXPAND magic
+IUSE_MPMS_FORK="prefork"
+IUSE_MPMS_THREAD="event worker"
+
+# << obsolete modules:
+# authn_default authz_default mem_cache
+# mem_cache is replaced by cache_disk
+# ?? buggy modules
+# proxy_scgi: startup error: undefined symbol "ap_proxy_release_connection", no fix found
+# >> added modules for reason:
+# compat: compatibility with 2.2 access control
+# authz_host: new module for access control
+# authn_core: functionality provided by authn_alias in previous versions
+# authz_core: new module, provides core authorization capabilities
+# cache_disk: replacement for mem_cache
+# lbmethod_byrequests: Split off from mod_proxy_balancer in 2.3
+# lbmethod_bytraffic: Split off from mod_proxy_balancer in 2.3
+# lbmethod_bybusyness: Split off from mod_proxy_balancer in 2.3
+# lbmethod_heartbeat: Split off from mod_proxy_balancer in 2.3
+# slotmem_shm: Slot-based shared memory provider (for lbmethod_byrequests).
+# socache_shmcb: shared object cache provider. Default config with ssl needs it
+# unixd: fixes startup error: Invalid command 'User'
+IUSE_MODULES="access_compat actions alias allowmethods asis auth_basic auth_digest auth_form
+authn_anon authn_core authn_dbd authn_dbm authn_file authn_socache authz_core
+authz_dbd authz_dbm authz_groupfile authz_host authz_owner authz_user autoindex
+brotli cache cache_disk cache_socache cern_meta charset_lite cgi cgid dav dav_fs dav_lock
+dbd deflate dir dumpio env expires ext_filter file_cache filter headers http2
+ident imagemap include info lbmethod_byrequests lbmethod_bytraffic lbmethod_bybusyness
+lbmethod_heartbeat log_config log_forensic logio lua macro md mime mime_magic negotiation
+proxy proxy_ajp proxy_balancer proxy_connect proxy_ftp proxy_hcheck proxy_html proxy_http proxy_scgi
+proxy_http2 proxy_fcgi proxy_uwsgi proxy_wstunnel rewrite ratelimit remoteip reqtimeout
+session session_cookie session_crypto session_dbd setenvif slotmem_shm socache_memcache
+socache_shmcb speling status substitute systemd tls unique_id userdir usertrack
+unixd version vhost_alias watchdog xml2enc"
+# The following are also in the source as of this version, but are not available
+# for user selection:
+# bucketeer case_filter case_filter_in echo http isapi optional_fn_export
+# optional_fn_import optional_hook_export optional_hook_import
+
+# inter-module dependencies
+# TODO: this may still be incomplete
+MODULE_DEPENDS="
+	auth_form:session
+	brotli:filter
+	dav_fs:dav
+	dav_lock:dav
+	deflate:filter
+	cache_disk:cache
+	ext_filter:filter
+	file_cache:cache
+	lbmethod_byrequests:proxy_balancer
+	lbmethod_byrequests:slotmem_shm
+	lbmethod_bytraffic:proxy_balancer
+	lbmethod_bybusyness:proxy_balancer
+	lbmethod_heartbeat:proxy_balancer
+	log_forensic:log_config
+	logio:log_config
+	cache_disk:cache
+	cache_socache:cache
+	md:watchdog
+	mime_magic:mime
+	proxy_ajp:proxy
+	proxy_balancer:proxy
+	proxy_balancer:slotmem_shm
+	proxy_connect:proxy
+	proxy_ftp:proxy
+	proxy_hcheck:proxy
+	proxy_hcheck:watchdog
+	proxy_html:proxy
+	proxy_html:xml2enc
+	proxy_http:proxy
+	proxy_http2:proxy
+	proxy_scgi:proxy
+	proxy_uwsgi:proxy
+	proxy_fcgi:proxy
+	proxy_wstunnel:proxy
+	session_cookie:session
+	session_dbd:dbd
+	session_dbd:session
+	socache_memcache:cache
+	substitute:filter
+"
+
+# module<->define mappings
+MODULE_DEFINES="
+	auth_digest:AUTH_DIGEST
+	authnz_ldap:AUTHNZ_LDAP
+	cache:CACHE
+	cache_disk:CACHE
+	cache_socache:CACHE
+	dav:DAV
+	dav_fs:DAV
+	dav_lock:DAV
+	file_cache:CACHE
+	http2:HTTP2
+	info:INFO
+	ldap:LDAP
+	lua:LUA
+	md:SSL
+	proxy:PROXY
+	proxy_ajp:PROXY
+	proxy_balancer:PROXY
+	proxy_connect:PROXY
+	proxy_fcgi:PROXY
+	proxy_ftp:PROXY
+	proxy_hcheck:PROXY
+	proxy_html:PROXY
+	proxy_http:PROXY
+	proxy_http2:PROXY
+	proxy_scgi:PROXY
+	proxy_uwsgi:PROXY
+	proxy_wstunnel:PROXY
+	socache_shmcb:SSL
+	socache_memcache:CACHE
+	ssl:SSL
+	status:STATUS
+	suexec:SUEXEC
+	systemd:SYSTEMD
+	userdir:USERDIR
+"
+
+# critical modules for the default config
+MODULE_CRITICAL="
+	authn_core
+	authz_core
+	authz_host
+	dir
+	mime
+	unixd
+"
+inherit apache-2 systemd tmpfiles toolchain-funcs
+
+DESCRIPTION="The Apache Web Server"
+HOMEPAGE="https://httpd.apache.org/"
+
+# some helper scripts are Apache-1.1, thus both are here
+LICENSE="Apache-2.0 Apache-1.1"
+SLOT="2"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~amd64-linux ~x64-macos ~x64-solaris"
+
+RDEPEND="
+	apache2_modules_tls? ( >=net-libs/rustls-ffi-0.13.0:= )
+"
+DEPEND="${RDEPEND}"
+
+PATCHES=( "${FILESDIR}/${P}-dh-regression.patch" "${FILESDIR}/${P}-rustls-0.13.0.patch" )
+
+pkg_setup() {
+	# dependent critical modules which are not allowed in global scope due
+	# to USE flag conditionals (bug #499260)
+	use ssl && MODULE_CRITICAL+=" socache_shmcb"
+	use doc && MODULE_CRITICAL+=" alias negotiation setenvif"
+	apache-2_pkg_setup
+}
+
+src_configure() {
+	# Brain dead check.
+	tc-is-cross-compiler && export ap_cv_void_ptr_lt_long="no"
+
+	apache-2_src_configure
+}
+
+src_compile() {
+	if tc-is-cross-compiler ; then
+		# This header is the same across targets, so use the build compiler.
+		pushd server >/dev/null
+		emake gen_test_char
+		tc-export_build_env BUILD_CC
+		${BUILD_CC} ${BUILD_CFLAGS} ${BUILD_CPPFLAGS} ${BUILD_LDFLAGS} \
+			gen_test_char.c -o gen_test_char $(apr-1-config --includes) || die
+		popd >/dev/null
+	fi
+
+	default
+}
+
+src_install() {
+	apache-2_src_install
+	local i
+	local apache_tools_prune_list=(
+		/usr/bin/{htdigest,logresolve,htpasswd,htdbm,ab,httxt2dbm}
+		/usr/sbin/{checkgid,fcgistarter,htcacheclean,rotatelogs}
+		/usr/share/man/man1/{logresolve.1,htdbm.1,htdigest.1,htpasswd.1,dbmmanage.1,ab.1}
+		/usr/share/man/man8/{rotatelogs.8,htcacheclean.8}
+	)
+	for i in ${apache_tools_prune_list[@]} ; do
+		rm "${ED}"/${i} || die "Failed to prune apache-tools bits"
+	done
+
+	dobin support/apxs
+
+	# Note: wait for mod_systemd to be included in some forthcoming release,
+	# Then apache2.4.service can be used and systemd support controlled
+	# through --enable-systemd
+	systemd_newunit "${FILESDIR}/apache2.4-hardened.service" "apache2.service"
+	dotmpfiles "${FILESDIR}/apache.conf"
+	#insinto /etc/apache2/modules.d
+	#doins "${FILESDIR}/00_systemd.conf"
+
+	# Install http2 module config
+	insinto /etc/apache2/modules.d
+	doins "${FILESDIR}"/41_mod_http2.conf
+
+	# Fix path to apache libdir
+	sed "s|@LIBDIR@|$(get_libdir)|" -i "${ED}"/usr/sbin/apache2ctl || die
+}
+
+pkg_postinst() {
+	apache-2_pkg_postinst || die "apache-2_pkg_postinst failed"
+
+	tmpfiles_process apache.conf #662544
+
+	# warnings that default config might not work out of the box
+	local mod cmod
+	for mod in ${MODULE_CRITICAL} ; do
+		if ! use "apache2_modules_${mod}"; then
+			echo
+			ewarn "Warning: Critical module not installed!"
+			ewarn "Modules 'authn_core', 'authz_core' and 'unixd'"
+			ewarn "are highly recomended but might not be in the base profile yet."
+			ewarn "Default config for ssl needs module 'socache_shmcb'."
+			ewarn "Enabling the following flags is highly recommended:"
+			for cmod in ${MODULE_CRITICAL} ; do
+				use "apache2_modules_${cmod}" || \
+					ewarn "+ apache2_modules_${cmod}"
+			done
+			echo
+			break
+		fi
+	done
+	# warning for proxy_balancer and missing load balancing scheduler
+	if use apache2_modules_proxy_balancer; then
+		local lbset=
+		for mod in lbmethod_byrequests lbmethod_bytraffic lbmethod_bybusyness lbmethod_heartbeat; do
+			if use "apache2_modules_${mod}"; then
+				lbset=1 && break
+			fi
+		done
+		if [[ ! ${lbset} ]] ; then
+			echo
+			ewarn "Info: Missing load balancing scheduler algorithm module"
+			ewarn "(They were split off from proxy_balancer in 2.3)"
+			ewarn "In order to get the ability of load balancing, at least"
+			ewarn "one of these modules has to be present:"
+			ewarn "lbmethod_byrequests lbmethod_bytraffic lbmethod_bybusyness lbmethod_heartbeat"
+			echo
+		fi
+	fi
+}

diff --git a/www-servers/apache/files/apache-2.4.59-rustls-0.13.0.patch b/www-servers/apache/files/apache-2.4.59-rustls-0.13.0.patch
new file mode 100644
index 000000000000..f8cfc6b73c31
--- /dev/null
+++ b/www-servers/apache/files/apache-2.4.59-rustls-0.13.0.patch
@@ -0,0 +1,544 @@
+From 68a5a569f630b116f30c49384e4f737a5e669bb2 Mon Sep 17 00:00:00 2001
+From: Daniel McCarney <daniel@binaryparadox.net>
+Date: Sun, 21 Apr 2024 15:05:19 -0400
+Subject: [PATCH] test: relax rustls-ffi SSL_VERSION_LIBRARY
+
+The rustls version included in the rustls-ffi version output does not
+always contain three components. E.g. rustls-ffi 0.12.2 uses the version
+string:
+
+  rustls-ffi/0.12.2/rustls/0.22
+
+Notably there is no `.0` after the `0.22` for the Rustls version, and
+this requires the `SSL_VERSION_LIBRARY` regexp be relaxed to allow this.
+---
+ test/modules/tls/test_08_vars.py      | 2 +-
+ test/modules/tls/test_14_proxy_ssl.py | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/test/modules/tls/test_08_vars.py b/test/modules/tls/test_08_vars.py
+index ad764a7985a..0e3ee74d2df 100644
+--- a/test/modules/tls/test_08_vars.py
++++ b/test/modules/tls/test_08_vars.py
+@@ -59,7 +59,7 @@ def test_tls_08_vars_const(self, env, name: str, value: str):
+ 
+     @pytest.mark.parametrize("name, pattern", [
+         ("SSL_VERSION_INTERFACE", r'mod_tls/\d+\.\d+\.\d+'),
+-        ("SSL_VERSION_LIBRARY", r'rustls-ffi/\d+\.\d+\.\d+/rustls/\d+\.\d+\.\d+'),
++        ("SSL_VERSION_LIBRARY", r'rustls-ffi/\d+\.\d+\.\d+/rustls/\d+\.\d+(\.\d+)?'),
+     ])
+     def test_tls_08_vars_match(self, env, name: str, pattern: str):
+         r = env.tls_get(env.domain_b, f"/vars.py?name={name}")
+diff --git a/test/modules/tls/test_14_proxy_ssl.py b/test/modules/tls/test_14_proxy_ssl.py
+index 2f46c64f710..87e04c28afa 100644
+--- a/test/modules/tls/test_14_proxy_ssl.py
++++ b/test/modules/tls/test_14_proxy_ssl.py
+@@ -100,7 +100,7 @@ def test_tls_14_proxy_ssl_vars_const(self, env, name: str, value: str):
+ 
+     @pytest.mark.parametrize("name, pattern", [
+         ("SSL_VERSION_INTERFACE", r'mod_tls/\d+\.\d+\.\d+'),
+-        ("SSL_VERSION_LIBRARY", r'rustls-ffi/\d+\.\d+\.\d+/rustls/\d+\.\d+\.\d+'),
++        ("SSL_VERSION_LIBRARY", r'rustls-ffi/\d+\.\d+\.\d+/rustls/\d+\.\d+(\.\d+)?'),
+     ])
+     def test_tls_14_proxy_tsl_vars_match(self, env, name: str, pattern: str):
+         if not HttpdTestEnv.has_shared_module("tls"):
+From fd64ac68206232641406c1512e0916d837821db5 Mon Sep 17 00:00:00 2001
+From: Daniel McCarney <daniel@binaryparadox.net>
+Date: Sun, 21 Apr 2024 15:19:50 -0400
+Subject: [PATCH] mod_tls: rustls-ffi 0.10 -> 0.11
+
+See upstream release notes[0] for more information.
+
+Also note that the, ahem, clunkyness of the verifier API is reduced in
+the 0.12 release and this is a transition state.
+
+[0]: https://github.com/rustls/rustls-ffi/releases/tag/v0.11.0
+---
+ .github/workflows/linux.yml |  2 +-
+ modules/tls/tls_cert.c      | 26 ++++++++++++++++++--------
+ modules/tls/tls_cert.h      |  6 +++---
+ modules/tls/tls_core.c      |  4 ++--
+ 4 files changed, 24 insertions(+), 14 deletions(-)
+
+diff --git a/.github/workflows/linux.yml b/.github/workflows/linux.yml
+index 8c45faf5651..1ac41c6b2d6 100644
+--- a/.github/workflows/linux.yml
++++ b/.github/workflows/linux.yml
+@@ -241,7 +241,7 @@ jobs:
+               APR_VERSION=1.7.4
+               APU_VERSION=1.6.3
+               APU_CONFIG="--with-crypto"
+-              RUSTLS_VERSION="v0.10.0"
++              RUSTLS_VERSION="v0.11.0"
+               NO_TEST_FRAMEWORK=1
+               TEST_INSTALL=1
+               TEST_MOD_TLS=1
+diff --git a/modules/tls/tls_cert.c b/modules/tls/tls_cert.c
+index 624535aa444..17a35fc498d 100644
+--- a/modules/tls/tls_cert.c
++++ b/modules/tls/tls_cert.c
+@@ -449,8 +449,8 @@ apr_status_t tls_cert_root_stores_get(
+ 
+ typedef struct {
+     const char *id;
+-    const rustls_client_cert_verifier *client_verifier;
+-    const rustls_client_cert_verifier_optional *client_verifier_opt;
++    const rustls_allow_any_authenticated_client_verifier *client_verifier;
++    const rustls_allow_any_anonymous_or_authenticated_client_verifier *client_verifier_opt;
+ } tls_cert_verifiers_entry_t;
+ 
+ static int verifiers_entry_cleanup(void *ctx, const void *key, apr_ssize_t klen, const void *val)
+@@ -458,11 +458,11 @@ static int verifiers_entry_cleanup(void *ctx, const void *key, apr_ssize_t klen,
+     tls_cert_verifiers_entry_t *entry = (tls_cert_verifiers_entry_t*)val;
+     (void)ctx; (void)key; (void)klen;
+     if (entry->client_verifier) {
+-        rustls_client_cert_verifier_free(entry->client_verifier);
++        rustls_allow_any_authenticated_client_verifier_free(entry->client_verifier);
+         entry->client_verifier = NULL;
+     }
+     if (entry->client_verifier_opt) {
+-        rustls_client_cert_verifier_optional_free(entry->client_verifier_opt);
++        rustls_allow_any_anonymous_or_authenticated_client_verifier_free(entry->client_verifier_opt);
+         entry->client_verifier_opt = NULL;
+     }
+     return 1;
+@@ -514,20 +514,25 @@ static tls_cert_verifiers_entry_t * verifiers_get_or_make_entry(
+ apr_status_t tls_cert_client_verifiers_get(
+     tls_cert_verifiers_t *verifiers,
+     const char *store_file,
+-    const rustls_client_cert_verifier **pverifier)
++    const rustls_allow_any_authenticated_client_verifier **pverifier)
+ {
+     apr_status_t rv = APR_SUCCESS;
+     tls_cert_verifiers_entry_t *entry;
++    struct rustls_allow_any_authenticated_client_builder *verifier_builder = NULL;
+ 
+     entry = verifiers_get_or_make_entry(verifiers, store_file);
+     if (!entry->client_verifier) {
+         rustls_root_cert_store *store;
+         rv = tls_cert_root_stores_get(verifiers->stores, store_file, &store);
+         if (APR_SUCCESS != rv) goto cleanup;
+-        entry->client_verifier = rustls_client_cert_verifier_new(store);
++        verifier_builder = rustls_allow_any_authenticated_client_builder_new(store);
++        entry->client_verifier = rustls_allow_any_authenticated_client_verifier_new(verifier_builder);
+     }
+ 
+ cleanup:
++    if (verifier_builder != NULL) {
++        rustls_allow_any_authenticated_client_builder_free(verifier_builder);
++    }
+     if (APR_SUCCESS == rv) {
+         *pverifier = entry->client_verifier;
+     }
+@@ -540,20 +545,25 @@ apr_status_t tls_cert_client_verifiers_get(
+ apr_status_t tls_cert_client_verifiers_get_optional(
+     tls_cert_verifiers_t *verifiers,
+     const char *store_file,
+-    const rustls_client_cert_verifier_optional **pverifier)
++    const rustls_allow_any_anonymous_or_authenticated_client_verifier **pverifier)
+ {
+     apr_status_t rv = APR_SUCCESS;
+     tls_cert_verifiers_entry_t *entry;
++    struct rustls_allow_any_anonymous_or_authenticated_client_builder *verifier_builder = NULL;
+ 
+     entry = verifiers_get_or_make_entry(verifiers, store_file);
+     if (!entry->client_verifier_opt) {
+         rustls_root_cert_store *store;
+         rv = tls_cert_root_stores_get(verifiers->stores, store_file, &store);
+         if (APR_SUCCESS != rv) goto cleanup;
+-        entry->client_verifier_opt = rustls_client_cert_verifier_optional_new(store);
++        verifier_builder = rustls_client_cert_verifier_optional_builder_new(store);
++        entry->client_verifier_opt = rustls_allow_any_anonymous_or_authenticated_client_verifier_new(verifier_builder);
+     }
+ 
+ cleanup:
++    if (verifier_builder != NULL) {
++        rustls_client_cert_verifier_optional_builder_free(verifier_builder);
++    }
+     if (APR_SUCCESS == rv) {
+         *pverifier = entry->client_verifier_opt;
+     }
+diff --git a/modules/tls/tls_cert.h b/modules/tls/tls_cert.h
+index 6ab3f48ae13..4ac3865dd86 100644
+--- a/modules/tls/tls_cert.h
++++ b/modules/tls/tls_cert.h
+@@ -193,7 +193,7 @@ void tls_cert_verifiers_clear(
+ apr_status_t tls_cert_client_verifiers_get(
+     tls_cert_verifiers_t *verifiers,
+     const char *store_file,
+-    const rustls_client_cert_verifier **pverifier);
++    const rustls_allow_any_authenticated_client_verifier **pverifier);
+ 
+ /**
+  * Get the optional client certificate verifier for the
+@@ -206,6 +206,6 @@ apr_status_t tls_cert_client_verifiers_get(
+ apr_status_t tls_cert_client_verifiers_get_optional(
+     tls_cert_verifiers_t *verifiers,
+     const char *store_file,
+-    const rustls_client_cert_verifier_optional **pverifier);
++    const rustls_allow_any_anonymous_or_authenticated_client_verifier **pverifier);
+ 
+-#endif /* tls_cert_h */
+\ No newline at end of file
++#endif /* tls_cert_h */
+diff --git a/modules/tls/tls_core.c b/modules/tls/tls_core.c
+index 25479392f1a..df29077826d 100644
+--- a/modules/tls/tls_core.c
++++ b/modules/tls/tls_core.c
+@@ -1119,13 +1119,13 @@ static apr_status_t build_server_connection(rustls_connection **pconnection,
+     if (cc->client_auth != TLS_CLIENT_AUTH_NONE) {
+         ap_assert(sc->client_ca);  /* checked in server_setup */
+         if (cc->client_auth == TLS_CLIENT_AUTH_REQUIRED) {
+-            const rustls_client_cert_verifier *verifier;
++            const rustls_allow_any_authenticated_client_verifier *verifier;
+             rv = tls_cert_client_verifiers_get(sc->global->verifiers, sc->client_ca, &verifier);
+             if (APR_SUCCESS != rv) goto cleanup;
+             rustls_server_config_builder_set_client_verifier(builder, verifier);
+         }
+         else {
+-            const rustls_client_cert_verifier_optional *verifier;
++            const rustls_allow_any_anonymous_or_authenticated_client_verifier *verifier;
+             rv = tls_cert_client_verifiers_get_optional(sc->global->verifiers, sc->client_ca, &verifier);
+             if (APR_SUCCESS != rv) goto cleanup;
+             rustls_server_config_builder_set_client_verifier_optional(builder, verifier);
+From 6d565575343ac5ddd674e53b7b9002396cc04375 Mon Sep 17 00:00:00 2001
+From: Daniel McCarney <daniel@binaryparadox.net>
+Date: Sun, 21 Apr 2024 15:37:25 -0400
+Subject: [PATCH] mod_tls: rustls-ffi 0.11 -> 0.12
+
+See upstream release notes for more information:
+
+https://github.com/rustls/rustls-ffi/releases/tag/v0.12.0
+https://github.com/rustls/rustls-ffi/releases/tag/v0.12.1
+https://github.com/rustls/rustls-ffi/releases/tag/v0.12.2
+---
+ .github/workflows/linux.yml |  2 +-
+ modules/tls/tls_cert.c      | 99 ++++++++++++++++++++-----------------
+ modules/tls/tls_cert.h      |  8 +--
+ modules/tls/tls_core.c      | 16 ++++--
+ 4 files changed, 70 insertions(+), 55 deletions(-)
+
+diff --git a/.github/workflows/linux.yml b/.github/workflows/linux.yml
+index 1ac41c6b2d6..3700bc4546a 100644
+--- a/.github/workflows/linux.yml
++++ b/.github/workflows/linux.yml
+@@ -241,7 +241,7 @@ jobs:
+               APR_VERSION=1.7.4
+               APU_VERSION=1.6.3
+               APU_CONFIG="--with-crypto"
+-              RUSTLS_VERSION="v0.11.0"
++              RUSTLS_VERSION="v0.12.2"
+               NO_TEST_FRAMEWORK=1
+               TEST_INSTALL=1
+               TEST_MOD_TLS=1
+diff --git a/modules/tls/tls_cert.c b/modules/tls/tls_cert.c
+index 17a35fc498d..ffb941cae40 100644
+--- a/modules/tls/tls_cert.c
++++ b/modules/tls/tls_cert.c
+@@ -331,11 +331,12 @@ const char *tls_cert_reg_get_id(tls_cert_reg_t *reg, const rustls_certified_key
+ }
+ 
+ apr_status_t tls_cert_load_root_store(
+-    apr_pool_t *p, const char *store_file, rustls_root_cert_store **pstore)
++    apr_pool_t *p, const char *store_file, const rustls_root_cert_store **pstore)
+ {
+     const char *fpath;
+     tls_data_t pem;
+-    rustls_root_cert_store *store = NULL;
++    rustls_root_cert_store_builder *store_builder = NULL;
++    const rustls_root_cert_store *store = NULL;
+     rustls_result rr = RUSTLS_RESULT_OK;
+     apr_pool_t *ptemp = NULL;
+     apr_status_t rv;
+@@ -353,11 +354,17 @@ apr_status_t tls_cert_load_root_store(
+     rv = tls_util_file_load(ptemp, fpath, 0, 1024*1024, &pem);
+     if (APR_SUCCESS != rv) goto cleanup;
+ 
+-    store = rustls_root_cert_store_new();
+-    rr = rustls_root_cert_store_add_pem(store, pem.data, pem.len, 1);
++    store_builder = rustls_root_cert_store_builder_new();
++    rr = rustls_root_cert_store_builder_add_pem(store_builder, pem.data, pem.len, 1);
++    if (RUSTLS_RESULT_OK != rr) goto cleanup;
++
++    rr = rustls_root_cert_store_builder_build(store_builder, &store);
+     if (RUSTLS_RESULT_OK != rr) goto cleanup;
+ 
+ cleanup:
++    if (store_builder != NULL) {
++        rustls_root_cert_store_builder_free(store_builder);
++    }
+     if (RUSTLS_RESULT_OK != rr) {
+         const char *err_descr;
+         rv = tls_util_rustls_error(p, rr, &err_descr);
+@@ -378,7 +385,7 @@ apr_status_t tls_cert_load_root_store(
+ 
+ typedef struct {
+     const char *id;
+-    rustls_root_cert_store *store;
++    const rustls_root_cert_store *store;
+ } tls_cert_root_stores_entry_t;
+ 
+ static int stores_entry_cleanup(void *ctx, const void *key, apr_ssize_t klen, const void *val)
+@@ -421,14 +428,14 @@ void tls_cert_root_stores_clear(tls_cert_root_stores_t *stores)
+ apr_status_t tls_cert_root_stores_get(
+     tls_cert_root_stores_t *stores,
+     const char *store_file,
+-    rustls_root_cert_store **pstore)
++    const rustls_root_cert_store **pstore)
+ {
+     apr_status_t rv = APR_SUCCESS;
+     tls_cert_root_stores_entry_t *entry;
+ 
+     entry = apr_hash_get(stores->file2store, store_file, APR_HASH_KEY_STRING);
+     if (!entry) {
+-        rustls_root_cert_store *store;
++        const rustls_root_cert_store *store;
+         rv = tls_cert_load_root_store(stores->pool, store_file, &store);
+         if (APR_SUCCESS != rv) goto cleanup;
+         entry = apr_pcalloc(stores->pool, sizeof(*entry));
+@@ -449,8 +456,8 @@ apr_status_t tls_cert_root_stores_get(
+ 
+ typedef struct {
+     const char *id;
+-    const rustls_allow_any_authenticated_client_verifier *client_verifier;
+-    const rustls_allow_any_anonymous_or_authenticated_client_verifier *client_verifier_opt;
++    rustls_client_cert_verifier *client_verifier;
++    rustls_client_cert_verifier *client_verifier_opt;
+ } tls_cert_verifiers_entry_t;
+ 
+ static int verifiers_entry_cleanup(void *ctx, const void *key, apr_ssize_t klen, const void *val)
+@@ -458,11 +465,11 @@ static int verifiers_entry_cleanup(void *ctx, const void *key, apr_ssize_t klen,
+     tls_cert_verifiers_entry_t *entry = (tls_cert_verifiers_entry_t*)val;
+     (void)ctx; (void)key; (void)klen;
+     if (entry->client_verifier) {
+-        rustls_allow_any_authenticated_client_verifier_free(entry->client_verifier);
++        rustls_client_cert_verifier_free(entry->client_verifier);
+         entry->client_verifier = NULL;
+     }
+     if (entry->client_verifier_opt) {
+-        rustls_allow_any_anonymous_or_authenticated_client_verifier_free(entry->client_verifier_opt);
++        rustls_client_cert_verifier_free(entry->client_verifier_opt);
+         entry->client_verifier_opt = NULL;
+     }
+     return 1;
+@@ -511,27 +518,43 @@ static tls_cert_verifiers_entry_t * verifiers_get_or_make_entry(
+     return entry;
+ }
+ 
+-apr_status_t tls_cert_client_verifiers_get(
+-    tls_cert_verifiers_t *verifiers,
+-    const char *store_file,
+-    const rustls_allow_any_authenticated_client_verifier **pverifier)
++static apr_status_t tls_cert_client_verifiers_get_internal(
++        tls_cert_verifiers_t *verifiers,
++        const char *store_file,
++        const rustls_client_cert_verifier **pverifier,
++        bool allow_unauthenticated)
+ {
+     apr_status_t rv = APR_SUCCESS;
+     tls_cert_verifiers_entry_t *entry;
+-    struct rustls_allow_any_authenticated_client_builder *verifier_builder = NULL;
++    rustls_result rr = RUSTLS_RESULT_OK;
++    struct rustls_web_pki_client_cert_verifier_builder *verifier_builder = NULL;
+ 
+     entry = verifiers_get_or_make_entry(verifiers, store_file);
+     if (!entry->client_verifier) {
+-        rustls_root_cert_store *store;
++        const rustls_root_cert_store *store;
+         rv = tls_cert_root_stores_get(verifiers->stores, store_file, &store);
+         if (APR_SUCCESS != rv) goto cleanup;
+-        verifier_builder = rustls_allow_any_authenticated_client_builder_new(store);
+-        entry->client_verifier = rustls_allow_any_authenticated_client_verifier_new(verifier_builder);
++        verifier_builder = rustls_web_pki_client_cert_verifier_builder_new(store);
++
++        if (allow_unauthenticated) {
++            rr = rustls_web_pki_client_cert_verifier_builder_allow_unauthenticated(verifier_builder);
++            if (rr != RUSTLS_RESULT_OK) {
++                goto cleanup;
++            }
++        }
++
++        rr = rustls_web_pki_client_cert_verifier_builder_build(verifier_builder, &entry->client_verifier);
++        if (rr != RUSTLS_RESULT_OK) {
++            goto cleanup;
++        }
+     }
+ 
+ cleanup:
+     if (verifier_builder != NULL) {
+-        rustls_allow_any_authenticated_client_builder_free(verifier_builder);
++        rustls_web_pki_client_cert_verifier_builder_free(verifier_builder);
++    }
++    if (rr != RUSTLS_RESULT_OK) {
++        rv = tls_util_rustls_error(verifiers->pool, rr, NULL);
+     }
+     if (APR_SUCCESS == rv) {
+         *pverifier = entry->client_verifier;
+@@ -542,33 +565,19 @@ apr_status_t tls_cert_client_verifiers_get(
+     return rv;
+ }
+ 
+-apr_status_t tls_cert_client_verifiers_get_optional(
++
++apr_status_t tls_cert_client_verifiers_get(
+     tls_cert_verifiers_t *verifiers,
+     const char *store_file,
+-    const rustls_allow_any_anonymous_or_authenticated_client_verifier **pverifier)
++    const rustls_client_cert_verifier **pverifier)
+ {
+-    apr_status_t rv = APR_SUCCESS;
+-    tls_cert_verifiers_entry_t *entry;
+-    struct rustls_allow_any_anonymous_or_authenticated_client_builder *verifier_builder = NULL;
+-
+-    entry = verifiers_get_or_make_entry(verifiers, store_file);
+-    if (!entry->client_verifier_opt) {
+-        rustls_root_cert_store *store;
+-        rv = tls_cert_root_stores_get(verifiers->stores, store_file, &store);
+-        if (APR_SUCCESS != rv) goto cleanup;
+-        verifier_builder = rustls_client_cert_verifier_optional_builder_new(store);
+-        entry->client_verifier_opt = rustls_allow_any_anonymous_or_authenticated_client_verifier_new(verifier_builder);
+-    }
++    return tls_cert_client_verifiers_get_internal(verifiers, store_file, pverifier, false);
++}
+ 
+-cleanup:
+-    if (verifier_builder != NULL) {
+-        rustls_client_cert_verifier_optional_builder_free(verifier_builder);
+-    }
+-    if (APR_SUCCESS == rv) {
+-        *pverifier = entry->client_verifier_opt;
+-    }
+-    else {
+-        *pverifier = NULL;
+-    }
+-    return rv;
++apr_status_t tls_cert_client_verifiers_get_optional(
++    tls_cert_verifiers_t *verifiers,
++    const char *store_file,
++    const rustls_client_cert_verifier **pverifier)
++{
++    return tls_cert_client_verifiers_get_internal(verifiers, store_file, pverifier, true);
+ }
+diff --git a/modules/tls/tls_cert.h b/modules/tls/tls_cert.h
+index 4ac3865dd86..3326f0eb3e7 100644
+--- a/modules/tls/tls_cert.h
++++ b/modules/tls/tls_cert.h
+@@ -128,7 +128,7 @@ const char *tls_cert_reg_get_id(tls_cert_reg_t *reg, const rustls_certified_key
+  * @param pstore the loaded root store on success
+  */
+ apr_status_t tls_cert_load_root_store(
+-    apr_pool_t *p, const char *store_file, rustls_root_cert_store **pstore);
++    apr_pool_t *p, const char *store_file, const rustls_root_cert_store **pstore);
+ 
+ typedef struct tls_cert_root_stores_t tls_cert_root_stores_t;
+ struct tls_cert_root_stores_t {
+@@ -157,7 +157,7 @@ void tls_cert_root_stores_clear(tls_cert_root_stores_t *stores);
+ apr_status_t tls_cert_root_stores_get(
+     tls_cert_root_stores_t *stores,
+     const char *store_file,
+-    rustls_root_cert_store **pstore);
++    const rustls_root_cert_store **pstore);
+ 
+ typedef struct tls_cert_verifiers_t tls_cert_verifiers_t;
+ struct tls_cert_verifiers_t {
+@@ -193,7 +193,7 @@ void tls_cert_verifiers_clear(
+ apr_status_t tls_cert_client_verifiers_get(
+     tls_cert_verifiers_t *verifiers,
+     const char *store_file,
+-    const rustls_allow_any_authenticated_client_verifier **pverifier);
++    const rustls_client_cert_verifier **pverifier);
+ 
+ /**
+  * Get the optional client certificate verifier for the
+@@ -206,6 +206,6 @@ apr_status_t tls_cert_client_verifiers_get(
+ apr_status_t tls_cert_client_verifiers_get_optional(
+     tls_cert_verifiers_t *verifiers,
+     const char *store_file,
+-    const rustls_allow_any_anonymous_or_authenticated_client_verifier **pverifier);
++    const rustls_client_cert_verifier **pverifier);
+ 
+ #endif /* tls_cert_h */
+diff --git a/modules/tls/tls_core.c b/modules/tls/tls_core.c
+index df29077826d..1cef254f103 100644
+--- a/modules/tls/tls_core.c
++++ b/modules/tls/tls_core.c
+@@ -764,8 +764,10 @@ static apr_status_t init_outgoing_connection(conn_rec *c)
+     tls_conf_proxy_t *pc;
+     const apr_array_header_t *ciphersuites = NULL;
+     apr_array_header_t *tls_versions = NULL;
++    rustls_web_pki_server_cert_verifier_builder *verifier_builder = NULL;
++    struct rustls_server_cert_verifier *verifier = NULL;
+     rustls_client_config_builder *builder = NULL;
+-    rustls_root_cert_store *ca_store = NULL;
++    const rustls_root_cert_store *ca_store = NULL;
+     const char *hostname = NULL, *alpn_note = NULL;
+     rustls_result rr = RUSTLS_RESULT_OK;
+     apr_status_t rv = APR_SUCCESS;
+@@ -809,7 +811,10 @@ static apr_status_t init_outgoing_connection(conn_rec *c)
+     if (pc->proxy_ca && strcasecmp(pc->proxy_ca, "default")) {
+         rv = tls_cert_root_stores_get(pc->global->stores, pc->proxy_ca, &ca_store);
+         if (APR_SUCCESS != rv) goto cleanup;
+-        rustls_client_config_builder_use_roots(builder, ca_store);
++        verifier_builder = rustls_web_pki_server_cert_verifier_builder_new(ca_store);
++        rr = rustls_web_pki_server_cert_verifier_builder_build(verifier_builder, &verifier);
++        if (RUSTLS_RESULT_OK != rr) goto cleanup;
++        rustls_client_config_builder_set_server_verifier(builder, verifier);
+     }
+ 
+ #if TLS_MACHINE_CERTS
+@@ -881,6 +886,7 @@ static apr_status_t init_outgoing_connection(conn_rec *c)
+     rustls_connection_set_userdata(cc->rustls_connection, c);
+ 
+ cleanup:
++    if (verifier_builder != NULL) rustls_web_pki_server_cert_verifier_builder_free(verifier_builder);
+     if (builder != NULL) rustls_client_config_builder_free(builder);
+     if (RUSTLS_RESULT_OK != rr) {
+         const char *err_descr = NULL;
+@@ -1119,16 +1125,16 @@ static apr_status_t build_server_connection(rustls_connection **pconnection,
+     if (cc->client_auth != TLS_CLIENT_AUTH_NONE) {
+         ap_assert(sc->client_ca);  /* checked in server_setup */
+         if (cc->client_auth == TLS_CLIENT_AUTH_REQUIRED) {
+-            const rustls_allow_any_authenticated_client_verifier *verifier;
++            const rustls_client_cert_verifier *verifier;
+             rv = tls_cert_client_verifiers_get(sc->global->verifiers, sc->client_ca, &verifier);
+             if (APR_SUCCESS != rv) goto cleanup;
+             rustls_server_config_builder_set_client_verifier(builder, verifier);
+         }
+         else {
+-            const rustls_allow_any_anonymous_or_authenticated_client_verifier *verifier;
++            const rustls_client_cert_verifier *verifier;
+             rv = tls_cert_client_verifiers_get_optional(sc->global->verifiers, sc->client_ca, &verifier);
+             if (APR_SUCCESS != rv) goto cleanup;
+-            rustls_server_config_builder_set_client_verifier_optional(builder, verifier);
++            rustls_server_config_builder_set_client_verifier(builder, verifier);
+         }
+     }
+ 
+From ef690ed43eed53a7b6aaba6027842cdd76d3ccb4 Mon Sep 17 00:00:00 2001
+From: Daniel McCarney <daniel@binaryparadox.net>
+Date: Sun, 21 Apr 2024 13:49:49 -0400
+Subject: [PATCH] mod_tls: rustls-ffi 0.12 -> 0.13
+
+The breaking API changes in this release don't affect `mod_tls`, making
+this an in-place update.
+
+See the upstream release notes[0] for more information.
+
+[0]: https://github.com/rustls/rustls-ffi/releases/tag/v0.13.0
+---
+ .github/workflows/linux.yml | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/.github/workflows/linux.yml b/.github/workflows/linux.yml
+index 3700bc4546a..54dcd7b0b32 100644
+--- a/.github/workflows/linux.yml
++++ b/.github/workflows/linux.yml
+@@ -241,7 +241,7 @@ jobs:
+               APR_VERSION=1.7.4
+               APU_VERSION=1.6.3
+               APU_CONFIG="--with-crypto"
+-              RUSTLS_VERSION="v0.12.2"
++              RUSTLS_VERSION="v0.13.0"
+               NO_TEST_FRAMEWORK=1
+               TEST_INSTALL=1
+               TEST_MOD_TLS=1


^ permalink raw reply related	[flat|nested] 15+ messages in thread
* [gentoo-commits] repo/gentoo:master commit in: www-servers/apache/, www-servers/apache/files/
@ 2024-04-13  6:30 Hans de Graaff
  0 siblings, 0 replies; 15+ messages in thread
From: Hans de Graaff @ 2024-04-13  6:30 UTC (permalink / raw
  To: gentoo-commits

commit:     3f82dfe7fd24e56d28eb1af47b12ccec7a8a2fc7
Author:     Hans de Graaff <graaff <AT> gentoo <DOT> org>
AuthorDate: Sat Apr 13 06:29:10 2024 +0000
Commit:     Hans de Graaff <graaff <AT> gentoo <DOT> org>
CommitDate: Sat Apr 13 06:30:46 2024 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3f82dfe7

www-servers/apache: backport DH regression patch

Closes: https://bugs.gentoo.org/929064
Signed-off-by: Hans de Graaff <graaff <AT> gentoo.org>

 www-servers/apache/apache-2.4.59-r1.ebuild         | 254 +++++++++++++++++++++
 .../apache/files/apache-2.4.59-dh-regression.patch |  81 +++++++
 2 files changed, 335 insertions(+)

diff --git a/www-servers/apache/apache-2.4.59-r1.ebuild b/www-servers/apache/apache-2.4.59-r1.ebuild
new file mode 100644
index 000000000000..48a82e0ad1c9
--- /dev/null
+++ b/www-servers/apache/apache-2.4.59-r1.ebuild
@@ -0,0 +1,254 @@
+# Copyright 1999-2024 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=7
+
+# latest gentoo apache files
+GENTOO_PATCHSTAMP="20240405"
+GENTOO_DEVELOPER="graaff"
+GENTOO_PATCHNAME="gentoo-apache-2.4.59"
+
+# IUSE/USE_EXPAND magic
+IUSE_MPMS_FORK="prefork"
+IUSE_MPMS_THREAD="event worker"
+
+# << obsolete modules:
+# authn_default authz_default mem_cache
+# mem_cache is replaced by cache_disk
+# ?? buggy modules
+# proxy_scgi: startup error: undefined symbol "ap_proxy_release_connection", no fix found
+# >> added modules for reason:
+# compat: compatibility with 2.2 access control
+# authz_host: new module for access control
+# authn_core: functionality provided by authn_alias in previous versions
+# authz_core: new module, provides core authorization capabilities
+# cache_disk: replacement for mem_cache
+# lbmethod_byrequests: Split off from mod_proxy_balancer in 2.3
+# lbmethod_bytraffic: Split off from mod_proxy_balancer in 2.3
+# lbmethod_bybusyness: Split off from mod_proxy_balancer in 2.3
+# lbmethod_heartbeat: Split off from mod_proxy_balancer in 2.3
+# slotmem_shm: Slot-based shared memory provider (for lbmethod_byrequests).
+# socache_shmcb: shared object cache provider. Default config with ssl needs it
+# unixd: fixes startup error: Invalid command 'User'
+IUSE_MODULES="access_compat actions alias allowmethods asis auth_basic auth_digest auth_form
+authn_anon authn_core authn_dbd authn_dbm authn_file authn_socache authz_core
+authz_dbd authz_dbm authz_groupfile authz_host authz_owner authz_user autoindex
+brotli cache cache_disk cache_socache cern_meta charset_lite cgi cgid dav dav_fs dav_lock
+dbd deflate dir dumpio env expires ext_filter file_cache filter headers http2
+ident imagemap include info lbmethod_byrequests lbmethod_bytraffic lbmethod_bybusyness
+lbmethod_heartbeat log_config log_forensic logio lua macro md mime mime_magic negotiation
+proxy proxy_ajp proxy_balancer proxy_connect proxy_ftp proxy_hcheck proxy_html proxy_http proxy_scgi
+proxy_http2 proxy_fcgi proxy_uwsgi proxy_wstunnel rewrite ratelimit remoteip reqtimeout
+session session_cookie session_crypto session_dbd setenvif slotmem_shm socache_memcache
+socache_shmcb speling status substitute systemd tls unique_id userdir usertrack
+unixd version vhost_alias watchdog xml2enc"
+# The following are also in the source as of this version, but are not available
+# for user selection:
+# bucketeer case_filter case_filter_in echo http isapi optional_fn_export
+# optional_fn_import optional_hook_export optional_hook_import
+
+# inter-module dependencies
+# TODO: this may still be incomplete
+MODULE_DEPENDS="
+	auth_form:session
+	brotli:filter
+	dav_fs:dav
+	dav_lock:dav
+	deflate:filter
+	cache_disk:cache
+	ext_filter:filter
+	file_cache:cache
+	lbmethod_byrequests:proxy_balancer
+	lbmethod_byrequests:slotmem_shm
+	lbmethod_bytraffic:proxy_balancer
+	lbmethod_bybusyness:proxy_balancer
+	lbmethod_heartbeat:proxy_balancer
+	log_forensic:log_config
+	logio:log_config
+	cache_disk:cache
+	cache_socache:cache
+	md:watchdog
+	mime_magic:mime
+	proxy_ajp:proxy
+	proxy_balancer:proxy
+	proxy_balancer:slotmem_shm
+	proxy_connect:proxy
+	proxy_ftp:proxy
+	proxy_hcheck:proxy
+	proxy_hcheck:watchdog
+	proxy_html:proxy
+	proxy_html:xml2enc
+	proxy_http:proxy
+	proxy_http2:proxy
+	proxy_scgi:proxy
+	proxy_uwsgi:proxy
+	proxy_fcgi:proxy
+	proxy_wstunnel:proxy
+	session_cookie:session
+	session_dbd:dbd
+	session_dbd:session
+	socache_memcache:cache
+	substitute:filter
+"
+
+# module<->define mappings
+MODULE_DEFINES="
+	auth_digest:AUTH_DIGEST
+	authnz_ldap:AUTHNZ_LDAP
+	cache:CACHE
+	cache_disk:CACHE
+	cache_socache:CACHE
+	dav:DAV
+	dav_fs:DAV
+	dav_lock:DAV
+	file_cache:CACHE
+	http2:HTTP2
+	info:INFO
+	ldap:LDAP
+	lua:LUA
+	md:SSL
+	proxy:PROXY
+	proxy_ajp:PROXY
+	proxy_balancer:PROXY
+	proxy_connect:PROXY
+	proxy_fcgi:PROXY
+	proxy_ftp:PROXY
+	proxy_hcheck:PROXY
+	proxy_html:PROXY
+	proxy_http:PROXY
+	proxy_http2:PROXY
+	proxy_scgi:PROXY
+	proxy_uwsgi:PROXY
+	proxy_wstunnel:PROXY
+	socache_shmcb:SSL
+	socache_memcache:CACHE
+	ssl:SSL
+	status:STATUS
+	suexec:SUEXEC
+	systemd:SYSTEMD
+	userdir:USERDIR
+"
+
+# critical modules for the default config
+MODULE_CRITICAL="
+	authn_core
+	authz_core
+	authz_host
+	dir
+	mime
+	unixd
+"
+inherit apache-2 systemd tmpfiles toolchain-funcs
+
+DESCRIPTION="The Apache Web Server"
+HOMEPAGE="https://httpd.apache.org/"
+
+# some helper scripts are Apache-1.1, thus both are here
+LICENSE="Apache-2.0 Apache-1.1"
+SLOT="2"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~amd64-linux ~x64-macos ~x64-solaris"
+
+PATCHES=( "${FILESDIR}/${P}-dh-regression.patch" )
+
+pkg_setup() {
+	# dependent critical modules which are not allowed in global scope due
+	# to USE flag conditionals (bug #499260)
+	use ssl && MODULE_CRITICAL+=" socache_shmcb"
+	use doc && MODULE_CRITICAL+=" alias negotiation setenvif"
+	apache-2_pkg_setup
+}
+
+src_configure() {
+	# Brain dead check.
+	tc-is-cross-compiler && export ap_cv_void_ptr_lt_long="no"
+
+	apache-2_src_configure
+}
+
+src_compile() {
+	if tc-is-cross-compiler ; then
+		# This header is the same across targets, so use the build compiler.
+		pushd server >/dev/null
+		emake gen_test_char
+		tc-export_build_env BUILD_CC
+		${BUILD_CC} ${BUILD_CFLAGS} ${BUILD_CPPFLAGS} ${BUILD_LDFLAGS} \
+			gen_test_char.c -o gen_test_char $(apr-1-config --includes) || die
+		popd >/dev/null
+	fi
+
+	default
+}
+
+src_install() {
+	apache-2_src_install
+	local i
+	local apache_tools_prune_list=(
+		/usr/bin/{htdigest,logresolve,htpasswd,htdbm,ab,httxt2dbm}
+		/usr/sbin/{checkgid,fcgistarter,htcacheclean,rotatelogs}
+		/usr/share/man/man1/{logresolve.1,htdbm.1,htdigest.1,htpasswd.1,dbmmanage.1,ab.1}
+		/usr/share/man/man8/{rotatelogs.8,htcacheclean.8}
+	)
+	for i in ${apache_tools_prune_list[@]} ; do
+		rm "${ED}"/${i} || die "Failed to prune apache-tools bits"
+	done
+
+	dobin support/apxs
+
+	# Note: wait for mod_systemd to be included in some forthcoming release,
+	# Then apache2.4.service can be used and systemd support controlled
+	# through --enable-systemd
+	systemd_newunit "${FILESDIR}/apache2.4-hardened.service" "apache2.service"
+	dotmpfiles "${FILESDIR}/apache.conf"
+	#insinto /etc/apache2/modules.d
+	#doins "${FILESDIR}/00_systemd.conf"
+
+	# Install http2 module config
+	insinto /etc/apache2/modules.d
+	doins "${FILESDIR}"/41_mod_http2.conf
+
+	# Fix path to apache libdir
+	sed "s|@LIBDIR@|$(get_libdir)|" -i "${ED}"/usr/sbin/apache2ctl || die
+}
+
+pkg_postinst() {
+	apache-2_pkg_postinst || die "apache-2_pkg_postinst failed"
+
+	tmpfiles_process apache.conf #662544
+
+	# warnings that default config might not work out of the box
+	local mod cmod
+	for mod in ${MODULE_CRITICAL} ; do
+		if ! use "apache2_modules_${mod}"; then
+			echo
+			ewarn "Warning: Critical module not installed!"
+			ewarn "Modules 'authn_core', 'authz_core' and 'unixd'"
+			ewarn "are highly recomended but might not be in the base profile yet."
+			ewarn "Default config for ssl needs module 'socache_shmcb'."
+			ewarn "Enabling the following flags is highly recommended:"
+			for cmod in ${MODULE_CRITICAL} ; do
+				use "apache2_modules_${cmod}" || \
+					ewarn "+ apache2_modules_${cmod}"
+			done
+			echo
+			break
+		fi
+	done
+	# warning for proxy_balancer and missing load balancing scheduler
+	if use apache2_modules_proxy_balancer; then
+		local lbset=
+		for mod in lbmethod_byrequests lbmethod_bytraffic lbmethod_bybusyness lbmethod_heartbeat; do
+			if use "apache2_modules_${mod}"; then
+				lbset=1 && break
+			fi
+		done
+		if [[ ! ${lbset} ]] ; then
+			echo
+			ewarn "Info: Missing load balancing scheduler algorithm module"
+			ewarn "(They were split off from proxy_balancer in 2.3)"
+			ewarn "In order to get the ability of load balancing, at least"
+			ewarn "one of these modules has to be present:"
+			ewarn "lbmethod_byrequests lbmethod_bytraffic lbmethod_bybusyness lbmethod_heartbeat"
+			echo
+		fi
+	fi
+}

diff --git a/www-servers/apache/files/apache-2.4.59-dh-regression.patch b/www-servers/apache/files/apache-2.4.59-dh-regression.patch
new file mode 100644
index 000000000000..63cb606a2630
--- /dev/null
+++ b/www-servers/apache/files/apache-2.4.59-dh-regression.patch
@@ -0,0 +1,81 @@
+From dee1eb37d787d34cb37df7eab535240e1774293a Mon Sep 17 00:00:00 2001
+From: Ruediger Pluem <rpluem@apache.org>
+Date: Mon, 8 Apr 2024 13:18:28 +0000
+Subject: [PATCH] * Ensure that we set the default DH parameters for the key
+
+Replace else with an if as the if branch no longer ensures that
+custome DH parameters have been loaded.
+This fixes a regression that causes the default DH parameters for a key
+no longer set and thus effectively disabling DH ciphers when no explicit
+DH parameters are set.
+
+PR: 68863
+
+
+git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1916863 13f79535-47bb-0310-9956-ffa450edef68
+---
+ changes-entries/pr68863.txt   |  3 +++
+ modules/ssl/ssl_engine_init.c | 11 ++++++-----
+ 2 files changed, 9 insertions(+), 5 deletions(-)
+ create mode 100644 changes-entries/pr68863.txt
+
+diff --git a/changes-entries/pr68863.txt b/changes-entries/pr68863.txt
+new file mode 100644
+index 00000000000..d45ffc708cc
+--- /dev/null
++++ b/changes-entries/pr68863.txt
+@@ -0,0 +1,3 @@
++  *) mod_ssl: Fix a regression that causes the default DH parameters for a key
++     no longer set and thus effectively disabling DH ciphers when no explicit
++     DH parameters are set. PR 68863 [Ruediger Pluem]
+diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c
+index 64e4aaf1dcd..f657026d137 100644
+--- a/modules/ssl/ssl_engine_init.c
++++ b/modules/ssl/ssl_engine_init.c
+@@ -1416,6 +1416,7 @@ static apr_status_t ssl_init_server_certs(server_rec *s,
+     const char *vhost_id = mctx->sc->vhost_id, *key_id, *certfile, *keyfile;
+     int i;
+     EVP_PKEY *pkey;
++    int custom_dh_done = 0;
+ #ifdef HAVE_ECC
+     EC_GROUP *ecgroup = NULL;
+     int curve_nid = 0;
+@@ -1591,14 +1592,14 @@ static apr_status_t ssl_init_server_certs(server_rec *s,
+      */
+     certfile = APR_ARRAY_IDX(mctx->pks->cert_files, 0, const char *);
+     if (certfile && !modssl_is_engine_id(certfile)) {
+-        int done = 0, num_bits = 0;
++        int num_bits = 0;
+ #if OPENSSL_VERSION_NUMBER < 0x30000000L
+         DH *dh = modssl_dh_from_file(certfile);
+         if (dh) {
+             num_bits = DH_bits(dh);
+             SSL_CTX_set_tmp_dh(mctx->ssl_ctx, dh);
+             DH_free(dh);
+-            done = 1;
++            custom_dh_done = 1;
+         }
+ #else
+         pkey = modssl_dh_pkey_from_file(certfile);
+@@ -1608,18 +1609,18 @@ static apr_status_t ssl_init_server_certs(server_rec *s,
+                 EVP_PKEY_free(pkey);
+             }
+             else {
+-                done = 1;
++                custom_dh_done = 1;
+             }
+         }
+ #endif
+-        if (done) {
++        if (custom_dh_done) {
+             ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(02540)
+                          "Custom DH parameters (%d bits) for %s loaded from %s",
+                          num_bits, vhost_id, certfile);
+         }
+     }
+ #if !MODSSL_USE_OPENSSL_PRE_1_1_API
+-    else {
++    if (!custom_dh_done) {
+         /* If no parameter is manually configured, enable auto
+          * selection. */
+         SSL_CTX_set_dh_auto(mctx->ssl_ctx, 1);


^ permalink raw reply related	[flat|nested] 15+ messages in thread
* [gentoo-commits] repo/gentoo:master commit in: www-servers/apache/, www-servers/apache/files/
@ 2022-07-27  9:43 Hans de Graaff
  0 siblings, 0 replies; 15+ messages in thread
From: Hans de Graaff @ 2022-07-27  9:43 UTC (permalink / raw
  To: gentoo-commits

commit:     3719c65ae2577477396fb27c5e42847f1c70ca45
Author:     Hans de Graaff <graaff <AT> gentoo <DOT> org>
AuthorDate: Wed Jul 27 09:40:40 2022 +0000
Commit:     Hans de Graaff <graaff <AT> gentoo <DOT> org>
CommitDate: Wed Jul 27 09:43:20 2022 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3719c65a

www-servers/apache: fix systemd file

Drop the duplicate PrivateTmp setting and remove the
NoNewPrivileges=true setting since it causes issues with suexec and
other distributions don't use this as part of their hardened
configuration.

Thanks to Nick Wiltshire for that patch that this is based on.

Closes: https://bugs.gentoo.org/600292
Signed-off-by: Hans de Graaff <graaff <AT> gentoo.org>

 www-servers/apache/apache-2.4.54-r6.ebuild         | 259 +++++++++++++++++++++
 .../apache/files/apache2.4-hardened.service        |  25 ++
 2 files changed, 284 insertions(+)

diff --git a/www-servers/apache/apache-2.4.54-r6.ebuild b/www-servers/apache/apache-2.4.54-r6.ebuild
new file mode 100644
index 000000000000..ce4943cba61e
--- /dev/null
+++ b/www-servers/apache/apache-2.4.54-r6.ebuild
@@ -0,0 +1,259 @@
+# Copyright 1999-2022 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=7
+
+# latest gentoo apache files
+GENTOO_PATCHSTAMP="20210212"
+GENTOO_DEVELOPER="polynomial-c"
+GENTOO_PATCHNAME="gentoo-apache-2.4.46-r6"
+
+# IUSE/USE_EXPAND magic
+IUSE_MPMS_FORK="prefork"
+IUSE_MPMS_THREAD="event worker"
+
+# << obsolete modules:
+# authn_default authz_default mem_cache
+# mem_cache is replaced by cache_disk
+# ?? buggy modules
+# proxy_scgi: startup error: undefined symbol "ap_proxy_release_connection", no fix found
+# >> added modules for reason:
+# compat: compatibility with 2.2 access control
+# authz_host: new module for access control
+# authn_core: functionality provided by authn_alias in previous versions
+# authz_core: new module, provides core authorization capabilities
+# cache_disk: replacement for mem_cache
+# lbmethod_byrequests: Split off from mod_proxy_balancer in 2.3
+# lbmethod_bytraffic: Split off from mod_proxy_balancer in 2.3
+# lbmethod_bybusyness: Split off from mod_proxy_balancer in 2.3
+# lbmethod_heartbeat: Split off from mod_proxy_balancer in 2.3
+# slotmem_shm: Slot-based shared memory provider (for lbmethod_byrequests).
+# socache_shmcb: shared object cache provider. Default config with ssl needs it
+# unixd: fixes startup error: Invalid command 'User'
+IUSE_MODULES="access_compat actions alias asis auth_basic auth_digest auth_form
+authn_anon authn_core authn_dbd authn_dbm authn_file authn_socache authz_core
+authz_dbd authz_dbm authz_groupfile authz_host authz_owner authz_user autoindex
+brotli cache cache_disk cache_socache cern_meta charset_lite cgi cgid dav dav_fs dav_lock
+dbd deflate dir dumpio env expires ext_filter file_cache filter headers http2
+ident imagemap include info lbmethod_byrequests lbmethod_bytraffic lbmethod_bybusyness
+lbmethod_heartbeat log_config log_forensic logio lua macro md mime mime_magic negotiation
+proxy proxy_ajp proxy_balancer proxy_connect proxy_ftp proxy_hcheck proxy_html proxy_http proxy_scgi
+proxy_http2 proxy_fcgi proxy_uwsgi proxy_wstunnel rewrite ratelimit remoteip reqtimeout
+session session_cookie session_crypto session_dbd setenvif slotmem_shm socache_memcache
+socache_shmcb speling status substitute systemd unique_id userdir usertrack
+unixd version vhost_alias watchdog xml2enc"
+# The following are also in the source as of this version, but are not available
+# for user selection:
+# bucketeer case_filter case_filter_in echo http isapi optional_fn_export
+# optional_fn_import optional_hook_export optional_hook_import
+
+# inter-module dependencies
+# TODO: this may still be incomplete
+MODULE_DEPENDS="
+	auth_form:session
+	brotli:filter
+	dav_fs:dav
+	dav_lock:dav
+	deflate:filter
+	cache_disk:cache
+	ext_filter:filter
+	file_cache:cache
+	lbmethod_byrequests:proxy_balancer
+	lbmethod_byrequests:slotmem_shm
+	lbmethod_bytraffic:proxy_balancer
+	lbmethod_bybusyness:proxy_balancer
+	lbmethod_heartbeat:proxy_balancer
+	log_forensic:log_config
+	logio:log_config
+	cache_disk:cache
+	cache_socache:cache
+	md:watchdog
+	mime_magic:mime
+	proxy_ajp:proxy
+	proxy_balancer:proxy
+	proxy_balancer:slotmem_shm
+	proxy_connect:proxy
+	proxy_ftp:proxy
+	proxy_hcheck:proxy
+	proxy_hcheck:watchdog
+	proxy_html:proxy
+	proxy_html:xml2enc
+	proxy_http:proxy
+	proxy_http2:proxy
+	proxy_scgi:proxy
+	proxy_uwsgi:proxy
+	proxy_fcgi:proxy
+	proxy_wstunnel:proxy
+	session_cookie:session
+	session_dbd:dbd
+	session_dbd:session
+	socache_memcache:cache
+	substitute:filter
+"
+
+# module<->define mappings
+MODULE_DEFINES="
+	auth_digest:AUTH_DIGEST
+	authnz_ldap:AUTHNZ_LDAP
+	cache:CACHE
+	cache_disk:CACHE
+	cache_socache:CACHE
+	dav:DAV
+	dav_fs:DAV
+	dav_lock:DAV
+	file_cache:CACHE
+	http2:HTTP2
+	info:INFO
+	ldap:LDAP
+	lua:LUA
+	md:SSL
+	proxy:PROXY
+	proxy_ajp:PROXY
+	proxy_balancer:PROXY
+	proxy_connect:PROXY
+	proxy_ftp:PROXY
+	proxy_html:PROXY
+	proxy_http:PROXY
+	proxy_hcheck:PROXY
+	proxy_fcgi:PROXY
+	proxy_scgi:PROXY
+	proxy_wstunnel:PROXY
+	socache_shmcb:SSL
+	socache_memcache:CACHE
+	ssl:SSL
+	status:STATUS
+	suexec:SUEXEC
+	systemd:SYSTEMD
+	userdir:USERDIR
+"
+
+# critical modules for the default config
+MODULE_CRITICAL="
+	authn_core
+	authz_core
+	authz_host
+	dir
+	mime
+	unixd
+"
+inherit apache-2 systemd tmpfiles toolchain-funcs
+
+DESCRIPTION="The Apache Web Server"
+HOMEPAGE="https://httpd.apache.org/"
+
+# some helper scripts are Apache-1.1, thus both are here
+LICENSE="Apache-2.0 Apache-1.1"
+SLOT="2"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~amd64-linux ~x64-macos ~sparc64-solaris ~x64-solaris"
+
+PATCHES=(
+	"${FILESDIR}"/${PN}-2.4.54-no-which.patch # bug #844868
+	"${FILESDIR}"/${PN}-2.4.54-libtool.patch # bug #858836
+)
+
+pkg_setup() {
+	# dependend critical modules which are not allowed in global scope due
+	# to USE flag conditionals (bug #499260)
+	use ssl && MODULE_CRITICAL+=" socache_shmcb"
+	use doc && MODULE_CRITICAL+=" alias negotiation setenvif"
+	apache-2_pkg_setup
+}
+
+src_configure() {
+	# Brain dead check.
+	tc-is-cross-compiler && export ap_cv_void_ptr_lt_long="no"
+
+	apache-2_src_configure
+}
+
+src_compile() {
+	if tc-is-cross-compiler ; then
+		# This header is the same across targets, so use the build compiler.
+		pushd server >/dev/null
+		emake gen_test_char
+		tc-export_build_env BUILD_CC
+		${BUILD_CC} ${BUILD_CFLAGS} ${BUILD_CPPFLAGS} ${BUILD_LDFLAGS} \
+			gen_test_char.c -o gen_test_char $(apr-1-config --includes) || die
+		popd >/dev/null
+	fi
+
+	default
+}
+
+src_install() {
+	apache-2_src_install
+	local i
+	local apache_tools_prune_list=(
+		/usr/bin/{htdigest,logresolve,htpasswd,htdbm,ab,httxt2dbm}
+		/usr/sbin/{checkgid,fcgistarter,htcacheclean,rotatelogs}
+		/usr/share/man/man1/{logresolve.1,htdbm.1,htdigest.1,htpasswd.1,dbmmanage.1,ab.1}
+		/usr/share/man/man8/{rotatelogs.8,htcacheclean.8}
+	)
+	for i in ${apache_tools_prune_list[@]} ; do
+		rm "${ED}"/${i} || die "Failed to prune apache-tools bits"
+	done
+
+	# install apxs in /usr/bin (bug #502384) and put a symlink into the
+	# old location until all ebuilds and eclasses have been modified to
+	# use the new location.
+	dobin support/apxs
+	use split-usr && dosym ../bin/apxs /usr/sbin/apxs
+
+	# Note: wait for mod_systemd to be included in some forthcoming release,
+	# Then apache2.4.service can be used and systemd support controlled
+	# through --enable-systemd
+	systemd_newunit "${FILESDIR}/apache2.4-hardened.service" "apache2.service"
+	dotmpfiles "${FILESDIR}/apache.conf"
+	#insinto /etc/apache2/modules.d
+	#doins "${FILESDIR}/00_systemd.conf"
+
+	# Install http2 module config
+	insinto /etc/apache2/modules.d
+	doins "${FILESDIR}"/41_mod_http2.conf
+
+	# Fix path to apache libdir
+	sed "s|@LIBDIR@|$(get_libdir)|" -i "${ED}"/usr/sbin/apache2ctl || die
+}
+
+pkg_postinst() {
+	apache-2_pkg_postinst || die "apache-2_pkg_postinst failed"
+
+	tmpfiles_process apache.conf #662544
+
+	# warnings that default config might not work out of the box
+	local mod cmod
+	for mod in ${MODULE_CRITICAL} ; do
+		if ! use "apache2_modules_${mod}"; then
+			echo
+			ewarn "Warning: Critical module not installed!"
+			ewarn "Modules 'authn_core', 'authz_core' and 'unixd'"
+			ewarn "are highly recomended but might not be in the base profile yet."
+			ewarn "Default config for ssl needs module 'socache_shmcb'."
+			ewarn "Enabling the following flags is highly recommended:"
+			for cmod in ${MODULE_CRITICAL} ; do
+				use "apache2_modules_${cmod}" || \
+					ewarn "+ apache2_modules_${cmod}"
+			done
+			echo
+			break
+		fi
+	done
+	# warning for proxy_balancer and missing load balancing scheduler
+	if use apache2_modules_proxy_balancer; then
+		local lbset=
+		for mod in lbmethod_byrequests lbmethod_bytraffic lbmethod_bybusyness lbmethod_heartbeat; do
+			if use "apache2_modules_${mod}"; then
+				lbset=1 && break
+			fi
+		done
+		if [[ ! ${lbset} ]] ; then
+			echo
+			ewarn "Info: Missing load balancing scheduler algorithm module"
+			ewarn "(They were split off from proxy_balancer in 2.3)"
+			ewarn "In order to get the ability of load balancing, at least"
+			ewarn "one of these modules has to be present:"
+			ewarn "lbmethod_byrequests lbmethod_bytraffic lbmethod_bybusyness lbmethod_heartbeat"
+			echo
+		fi
+	fi
+}

diff --git a/www-servers/apache/files/apache2.4-hardened.service b/www-servers/apache/files/apache2.4-hardened.service
new file mode 100644
index 000000000000..fe66567e1e80
--- /dev/null
+++ b/www-servers/apache/files/apache2.4-hardened.service
@@ -0,0 +1,25 @@
+[Unit]
+Description=The Apache HTTP Server
+After=network.target remote-fs.target nss-lookup.target
+
+[Service]
+EnvironmentFile=/etc/conf.d/apache2
+ExecStart=/usr/sbin/apache2 $APACHE2_OPTS -DFOREGROUND
+ExecReload=/usr/sbin/apache2 $APACHE2_OPTS -k graceful
+ExecStop=/usr/sbin/apache2 $APACHE2_OPTS -k graceful-stop
+# We want systemd to give httpd some time to finish gracefully, but still want
+# it to kill httpd after TimeoutStopSec if something went wrong during the
+# graceful stop. Normally, Systemd sends SIGTERM signal right after the
+# ExecStop, which would kill httpd. We are sending useless SIGCONT here to give
+# httpd time to finish.
+KillSignal=SIGCONT
+PrivateTmp=true
+#Hardening
+CapabilityBoundingSet=CAP_CHOWN CAP_SETGID CAP_SETUID CAP_DAC_OVERRIDE CAP_KILL CAP_NET_BIND_SERVICE CAP_IPC_LOCK
+SecureBits=noroot-locked
+ProtectSystem=full
+PrivateDevices=true
+MemoryDenyWriteExecute=true
+
+[Install]
+WantedBy=multi-user.target


^ permalink raw reply related	[flat|nested] 15+ messages in thread
* [gentoo-commits] repo/gentoo:master commit in: www-servers/apache/, www-servers/apache/files/
@ 2022-07-11  9:11 Hans de Graaff
  0 siblings, 0 replies; 15+ messages in thread
From: Hans de Graaff @ 2022-07-11  9:11 UTC (permalink / raw
  To: gentoo-commits

commit:     c39cef6551b028fa74e5dbe26f7402d13cee8a56
Author:     Hans de Graaff <graaff <AT> gentoo <DOT> org>
AuthorDate: Mon Jul 11 09:09:39 2022 +0000
Commit:     Hans de Graaff <graaff <AT> gentoo <DOT> org>
CommitDate: Mon Jul 11 09:11:49 2022 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c39cef65

www-servers/apache: create /var/cache/apache2 with tmpfiles

Signed-off-by: Hans de Graaff <graaff <AT> gentoo.org>

 www-servers/apache/apache-2.4.54-r4.ebuild | 258 +++++++++++++++++++++++++++++
 www-servers/apache/files/apache.conf       |   1 +
 2 files changed, 259 insertions(+)

diff --git a/www-servers/apache/apache-2.4.54-r4.ebuild b/www-servers/apache/apache-2.4.54-r4.ebuild
new file mode 100644
index 000000000000..a2b75c48a3c1
--- /dev/null
+++ b/www-servers/apache/apache-2.4.54-r4.ebuild
@@ -0,0 +1,258 @@
+# Copyright 1999-2022 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=7
+
+# latest gentoo apache files
+GENTOO_PATCHSTAMP="20210212"
+GENTOO_DEVELOPER="polynomial-c"
+GENTOO_PATCHNAME="gentoo-apache-2.4.46-r6"
+
+# IUSE/USE_EXPAND magic
+IUSE_MPMS_FORK="prefork"
+IUSE_MPMS_THREAD="event worker"
+
+# << obsolete modules:
+# authn_default authz_default mem_cache
+# mem_cache is replaced by cache_disk
+# ?? buggy modules
+# proxy_scgi: startup error: undefined symbol "ap_proxy_release_connection", no fix found
+# >> added modules for reason:
+# compat: compatibility with 2.2 access control
+# authz_host: new module for access control
+# authn_core: functionality provided by authn_alias in previous versions
+# authz_core: new module, provides core authorization capabilities
+# cache_disk: replacement for mem_cache
+# lbmethod_byrequests: Split off from mod_proxy_balancer in 2.3
+# lbmethod_bytraffic: Split off from mod_proxy_balancer in 2.3
+# lbmethod_bybusyness: Split off from mod_proxy_balancer in 2.3
+# lbmethod_heartbeat: Split off from mod_proxy_balancer in 2.3
+# slotmem_shm: Slot-based shared memory provider (for lbmethod_byrequests).
+# socache_shmcb: shared object cache provider. Default config with ssl needs it
+# unixd: fixes startup error: Invalid command 'User'
+IUSE_MODULES="access_compat actions alias asis auth_basic auth_digest auth_form
+authn_anon authn_core authn_dbd authn_dbm authn_file authn_socache authz_core
+authz_dbd authz_dbm authz_groupfile authz_host authz_owner authz_user autoindex
+brotli cache cache_disk cache_socache cern_meta charset_lite cgi cgid dav dav_fs dav_lock
+dbd deflate dir dumpio env expires ext_filter file_cache filter headers http2
+ident imagemap include info lbmethod_byrequests lbmethod_bytraffic lbmethod_bybusyness
+lbmethod_heartbeat log_config log_forensic logio lua macro md mime mime_magic negotiation
+proxy proxy_ajp proxy_balancer proxy_connect proxy_ftp proxy_hcheck proxy_html proxy_http proxy_scgi
+proxy_http2 proxy_fcgi proxy_uwsgi proxy_wstunnel rewrite ratelimit remoteip reqtimeout
+session session_cookie session_crypto session_dbd setenvif slotmem_shm socache_memcache
+socache_shmcb speling status substitute systemd unique_id userdir usertrack
+unixd version vhost_alias watchdog xml2enc"
+# The following are also in the source as of this version, but are not available
+# for user selection:
+# bucketeer case_filter case_filter_in echo http isapi optional_fn_export
+# optional_fn_import optional_hook_export optional_hook_import
+
+# inter-module dependencies
+# TODO: this may still be incomplete
+MODULE_DEPENDS="
+	auth_form:session
+	brotli:filter
+	dav_fs:dav
+	dav_lock:dav
+	deflate:filter
+	cache_disk:cache
+	ext_filter:filter
+	file_cache:cache
+	lbmethod_byrequests:proxy_balancer
+	lbmethod_byrequests:slotmem_shm
+	lbmethod_bytraffic:proxy_balancer
+	lbmethod_bybusyness:proxy_balancer
+	lbmethod_heartbeat:proxy_balancer
+	log_forensic:log_config
+	logio:log_config
+	cache_disk:cache
+	cache_socache:cache
+	md:watchdog
+	mime_magic:mime
+	proxy_ajp:proxy
+	proxy_balancer:proxy
+	proxy_balancer:slotmem_shm
+	proxy_connect:proxy
+	proxy_ftp:proxy
+	proxy_hcheck:proxy
+	proxy_hcheck:watchdog
+	proxy_html:proxy
+	proxy_html:xml2enc
+	proxy_http:proxy
+	proxy_http2:proxy
+	proxy_scgi:proxy
+	proxy_uwsgi:proxy
+	proxy_fcgi:proxy
+	proxy_wstunnel:proxy
+	session_cookie:session
+	session_dbd:dbd
+	session_dbd:session
+	socache_memcache:cache
+	substitute:filter
+"
+
+# module<->define mappings
+MODULE_DEFINES="
+	auth_digest:AUTH_DIGEST
+	authnz_ldap:AUTHNZ_LDAP
+	cache:CACHE
+	cache_disk:CACHE
+	cache_socache:CACHE
+	dav:DAV
+	dav_fs:DAV
+	dav_lock:DAV
+	file_cache:CACHE
+	http2:HTTP2
+	info:INFO
+	ldap:LDAP
+	lua:LUA
+	md:SSL
+	proxy:PROXY
+	proxy_ajp:PROXY
+	proxy_balancer:PROXY
+	proxy_connect:PROXY
+	proxy_ftp:PROXY
+	proxy_html:PROXY
+	proxy_http:PROXY
+	proxy_hcheck:PROXY
+	proxy_fcgi:PROXY
+	proxy_scgi:PROXY
+	proxy_wstunnel:PROXY
+	socache_shmcb:SSL
+	socache_memcache:CACHE
+	ssl:SSL
+	status:STATUS
+	suexec:SUEXEC
+	systemd:SYSTEMD
+	userdir:USERDIR
+"
+
+# critical modules for the default config
+MODULE_CRITICAL="
+	authn_core
+	authz_core
+	authz_host
+	dir
+	mime
+	unixd
+"
+inherit apache-2 systemd tmpfiles toolchain-funcs
+
+DESCRIPTION="The Apache Web Server"
+HOMEPAGE="https://httpd.apache.org/"
+
+# some helper scripts are Apache-1.1, thus both are here
+LICENSE="Apache-2.0 Apache-1.1"
+SLOT="2"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~amd64-linux ~x64-macos ~sparc64-solaris ~x64-solaris"
+
+PATCHES=(
+	"${FILESDIR}"/${PN}-2.4.54-no-which.patch # bug #844868
+)
+
+pkg_setup() {
+	# dependend critical modules which are not allowed in global scope due
+	# to USE flag conditionals (bug #499260)
+	use ssl && MODULE_CRITICAL+=" socache_shmcb"
+	use doc && MODULE_CRITICAL+=" alias negotiation setenvif"
+	apache-2_pkg_setup
+}
+
+src_configure() {
+	# Brain dead check.
+	tc-is-cross-compiler && export ap_cv_void_ptr_lt_long="no"
+
+	apache-2_src_configure
+}
+
+src_compile() {
+	if tc-is-cross-compiler ; then
+		# This header is the same across targets, so use the build compiler.
+		pushd server >/dev/null
+		emake gen_test_char
+		tc-export_build_env BUILD_CC
+		${BUILD_CC} ${BUILD_CFLAGS} ${BUILD_CPPFLAGS} ${BUILD_LDFLAGS} \
+			gen_test_char.c -o gen_test_char $(apr-1-config --includes) || die
+		popd >/dev/null
+	fi
+
+	default
+}
+
+src_install() {
+	apache-2_src_install
+	local i
+	local apache_tools_prune_list=(
+		/usr/bin/{htdigest,logresolve,htpasswd,htdbm,ab,httxt2dbm}
+		/usr/sbin/{checkgid,fcgistarter,htcacheclean,rotatelogs}
+		/usr/share/man/man1/{logresolve.1,htdbm.1,htdigest.1,htpasswd.1,dbmmanage.1,ab.1}
+		/usr/share/man/man8/{rotatelogs.8,htcacheclean.8}
+	)
+	for i in ${apache_tools_prune_list[@]} ; do
+		rm "${ED}"/${i} || die "Failed to prune apache-tools bits"
+	done
+
+	# install apxs in /usr/bin (bug #502384) and put a symlink into the
+	# old location until all ebuilds and eclasses have been modified to
+	# use the new location.
+	dobin support/apxs
+	use split-usr && dosym ../bin/apxs /usr/sbin/apxs
+
+	# Note: wait for mod_systemd to be included in some forthcoming release,
+	# Then apache2.4.service can be used and systemd support controlled
+	# through --enable-systemd
+	systemd_newunit "${FILESDIR}/apache2.2-hardened.service" "apache2.service"
+	dotmpfiles "${FILESDIR}/apache.conf"
+	#insinto /etc/apache2/modules.d
+	#doins "${FILESDIR}/00_systemd.conf"
+
+	# Install http2 module config
+	insinto /etc/apache2/modules.d
+	doins "${FILESDIR}"/41_mod_http2.conf
+
+	# Fix path to apache libdir
+	sed "s|@LIBDIR@|$(get_libdir)|" -i "${ED}"/usr/sbin/apache2ctl || die
+}
+
+pkg_postinst() {
+	apache-2_pkg_postinst || die "apache-2_pkg_postinst failed"
+
+	tmpfiles_process apache.conf #662544
+
+	# warnings that default config might not work out of the box
+	local mod cmod
+	for mod in ${MODULE_CRITICAL} ; do
+		if ! use "apache2_modules_${mod}"; then
+			echo
+			ewarn "Warning: Critical module not installed!"
+			ewarn "Modules 'authn_core', 'authz_core' and 'unixd'"
+			ewarn "are highly recomended but might not be in the base profile yet."
+			ewarn "Default config for ssl needs module 'socache_shmcb'."
+			ewarn "Enabling the following flags is highly recommended:"
+			for cmod in ${MODULE_CRITICAL} ; do
+				use "apache2_modules_${cmod}" || \
+					ewarn "+ apache2_modules_${cmod}"
+			done
+			echo
+			break
+		fi
+	done
+	# warning for proxy_balancer and missing load balancing scheduler
+	if use apache2_modules_proxy_balancer; then
+		local lbset=
+		for mod in lbmethod_byrequests lbmethod_bytraffic lbmethod_bybusyness lbmethod_heartbeat; do
+			if use "apache2_modules_${mod}"; then
+				lbset=1 && break
+			fi
+		done
+		if [[ ! ${lbset} ]] ; then
+			echo
+			ewarn "Info: Missing load balancing scheduler algorithm module"
+			ewarn "(They were split off from proxy_balancer in 2.3)"
+			ewarn "In order to get the ability of load balancing, at least"
+			ewarn "one of these modules has to be present:"
+			ewarn "lbmethod_byrequests lbmethod_bytraffic lbmethod_bybusyness lbmethod_heartbeat"
+			echo
+		fi
+	fi
+}

diff --git a/www-servers/apache/files/apache.conf b/www-servers/apache/files/apache.conf
index 56e23aefaf8e..74888d81a752 100644
--- a/www-servers/apache/files/apache.conf
+++ b/www-servers/apache/files/apache.conf
@@ -1,2 +1,3 @@
 d /run/apache2 710 root apache
 d /run/apache_ssl_mutex
+d /var/cache/apache2 750 apache apache


^ permalink raw reply related	[flat|nested] 15+ messages in thread
* [gentoo-commits] repo/gentoo:master commit in: www-servers/apache/, www-servers/apache/files/
@ 2022-06-29  8:39 Sam James
  0 siblings, 0 replies; 15+ messages in thread
From: Sam James @ 2022-06-29  8:39 UTC (permalink / raw
  To: gentoo-commits

commit:     241214d7fb7cfaac52b3333deadb2c9880d58682
Author:     Sam James <sam <AT> gentoo <DOT> org>
AuthorDate: Mon Jun 20 00:26:40 2022 +0000
Commit:     Sam James <sam <AT> gentoo <DOT> org>
CommitDate: Wed Jun 29 08:39:44 2022 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=241214d7

www-servers/apache: drop which dependency

Apply to apache itself too just in case & for consistency.

Closes: https://bugs.gentoo.org/844868
Signed-off-by: Sam James <sam <AT> gentoo.org>
Closes: https://github.com/gentoo/gentoo/pull/25984
Signed-off-by: Sam James <sam <AT> gentoo.org>

 www-servers/apache/apache-2.4.54-r1.ebuild         | 266 +++++++++++++++++++++
 .../apache/files/apache-2.4.54-no-which.patch      |  54 +++++
 2 files changed, 320 insertions(+)

diff --git a/www-servers/apache/apache-2.4.54-r1.ebuild b/www-servers/apache/apache-2.4.54-r1.ebuild
new file mode 100644
index 000000000000..1b3ba9f9ea6f
--- /dev/null
+++ b/www-servers/apache/apache-2.4.54-r1.ebuild
@@ -0,0 +1,266 @@
+# Copyright 1999-2022 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=7
+
+# latest gentoo apache files
+GENTOO_PATCHSTAMP="20210212"
+GENTOO_DEVELOPER="polynomial-c"
+GENTOO_PATCHNAME="gentoo-apache-2.4.46-r6"
+
+# IUSE/USE_EXPAND magic
+IUSE_MPMS_FORK="prefork"
+IUSE_MPMS_THREAD="event worker"
+
+# << obsolete modules:
+# authn_default authz_default mem_cache
+# mem_cache is replaced by cache_disk
+# ?? buggy modules
+# proxy_scgi: startup error: undefined symbol "ap_proxy_release_connection", no fix found
+# >> added modules for reason:
+# compat: compatibility with 2.2 access control
+# authz_host: new module for access control
+# authn_core: functionality provided by authn_alias in previous versions
+# authz_core: new module, provides core authorization capabilities
+# cache_disk: replacement for mem_cache
+# lbmethod_byrequests: Split off from mod_proxy_balancer in 2.3
+# lbmethod_bytraffic: Split off from mod_proxy_balancer in 2.3
+# lbmethod_bybusyness: Split off from mod_proxy_balancer in 2.3
+# lbmethod_heartbeat: Split off from mod_proxy_balancer in 2.3
+# slotmem_shm: Slot-based shared memory provider (for lbmethod_byrequests).
+# socache_shmcb: shared object cache provider. Default config with ssl needs it
+# unixd: fixes startup error: Invalid command 'User'
+IUSE_MODULES="access_compat actions alias asis auth_basic auth_digest auth_form
+authn_anon authn_core authn_dbd authn_dbm authn_file authn_socache authz_core
+authz_dbd authz_dbm authz_groupfile authz_host authz_owner authz_user autoindex
+brotli cache cache_disk cache_socache cern_meta charset_lite cgi cgid dav dav_fs dav_lock
+dbd deflate dir dumpio env expires ext_filter file_cache filter headers http2
+ident imagemap include info lbmethod_byrequests lbmethod_bytraffic lbmethod_bybusyness
+lbmethod_heartbeat log_config log_forensic logio lua macro md mime mime_magic negotiation
+proxy proxy_ajp proxy_balancer proxy_connect proxy_ftp proxy_hcheck proxy_html proxy_http proxy_scgi
+proxy_http2 proxy_fcgi proxy_uwsgi proxy_wstunnel rewrite ratelimit remoteip reqtimeout
+session session_cookie session_crypto session_dbd setenvif slotmem_shm socache_memcache
+socache_shmcb speling status substitute systemd unique_id userdir usertrack
+unixd version vhost_alias watchdog xml2enc"
+# The following are also in the source as of this version, but are not available
+# for user selection:
+# bucketeer case_filter case_filter_in echo http isapi optional_fn_export
+# optional_fn_import optional_hook_export optional_hook_import
+
+# inter-module dependencies
+# TODO: this may still be incomplete
+MODULE_DEPENDS="
+	auth_form:session
+	brotli:filter
+	dav_fs:dav
+	dav_lock:dav
+	deflate:filter
+	cache_disk:cache
+	ext_filter:filter
+	file_cache:cache
+	lbmethod_byrequests:proxy_balancer
+	lbmethod_byrequests:slotmem_shm
+	lbmethod_bytraffic:proxy_balancer
+	lbmethod_bybusyness:proxy_balancer
+	lbmethod_heartbeat:proxy_balancer
+	log_forensic:log_config
+	logio:log_config
+	cache_disk:cache
+	cache_socache:cache
+	md:watchdog
+	mime_magic:mime
+	proxy_ajp:proxy
+	proxy_balancer:proxy
+	proxy_balancer:slotmem_shm
+	proxy_connect:proxy
+	proxy_ftp:proxy
+	proxy_hcheck:proxy
+	proxy_hcheck:watchdog
+	proxy_html:proxy
+	proxy_html:xml2enc
+	proxy_http:proxy
+	proxy_http2:proxy
+	proxy_scgi:proxy
+	proxy_uwsgi:proxy
+	proxy_fcgi:proxy
+	proxy_wstunnel:proxy
+	session_cookie:session
+	session_dbd:dbd
+	session_dbd:session
+	socache_memcache:cache
+	substitute:filter
+"
+
+# module<->define mappings
+MODULE_DEFINES="
+	auth_digest:AUTH_DIGEST
+	authnz_ldap:AUTHNZ_LDAP
+	cache:CACHE
+	cache_disk:CACHE
+	cache_socache:CACHE
+	dav:DAV
+	dav_fs:DAV
+	dav_lock:DAV
+	file_cache:CACHE
+	http2:HTTP2
+	info:INFO
+	ldap:LDAP
+	lua:LUA
+	md:SSL
+	proxy:PROXY
+	proxy_ajp:PROXY
+	proxy_balancer:PROXY
+	proxy_connect:PROXY
+	proxy_ftp:PROXY
+	proxy_html:PROXY
+	proxy_http:PROXY
+	proxy_hcheck:PROXY
+	proxy_fcgi:PROXY
+	proxy_scgi:PROXY
+	proxy_wstunnel:PROXY
+	socache_shmcb:SSL
+	socache_memcache:CACHE
+	ssl:SSL
+	status:STATUS
+	suexec:SUEXEC
+	systemd:SYSTEMD
+	userdir:USERDIR
+"
+
+# critical modules for the default config
+MODULE_CRITICAL="
+	authn_core
+	authz_core
+	authz_host
+	dir
+	mime
+	unixd
+"
+inherit apache-2 systemd tmpfiles toolchain-funcs
+
+DESCRIPTION="The Apache Web Server"
+HOMEPAGE="https://httpd.apache.org/"
+
+# some helper scripts are Apache-1.1, thus both are here
+LICENSE="Apache-2.0 Apache-1.1"
+SLOT="2"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~amd64-linux ~x64-macos ~sparc64-solaris ~x64-solaris"
+
+PATCHES=(
+	"${FILESDIR}"/${PN}-2.4.54-no-which.patch # bug #844868
+)
+
+pkg_setup() {
+	# dependend critical modules which are not allowed in global scope due
+	# to USE flag conditionals (bug #499260)
+	use ssl && MODULE_CRITICAL+=" socache_shmcb"
+	use doc && MODULE_CRITICAL+=" alias negotiation setenvif"
+	apache-2_pkg_setup
+}
+
+src_configure() {
+	# Brain dead check.
+	tc-is-cross-compiler && export ap_cv_void_ptr_lt_long="no"
+
+	apache-2_src_configure
+}
+
+src_compile() {
+	if tc-is-cross-compiler ; then
+		# This header is the same across targets, so use the build compiler.
+		pushd server >/dev/null
+		emake gen_test_char
+		tc-export_build_env BUILD_CC
+		${BUILD_CC} ${BUILD_CFLAGS} ${BUILD_CPPFLAGS} ${BUILD_LDFLAGS} \
+			gen_test_char.c -o gen_test_char $(apr-1-config --includes) || die
+		popd >/dev/null
+	fi
+
+	default
+}
+
+src_install() {
+	apache-2_src_install
+	local i
+	local apache_tools_prune_list=(
+		/usr/bin/{htdigest,logresolve,htpasswd,htdbm,ab,httxt2dbm}
+		/usr/sbin/{checkgid,fcgistarter,htcacheclean,rotatelogs}
+		/usr/share/man/man1/{logresolve.1,htdbm.1,htdigest.1,htpasswd.1,dbmmanage.1,ab.1}
+		/usr/share/man/man8/{rotatelogs.8,htcacheclean.8}
+	)
+	for i in ${apache_tools_prune_list[@]} ; do
+		rm "${ED}"/${i} || die "Failed to prune apache-tools bits"
+	done
+
+	# install apxs in /usr/bin (bug #502384) and put a symlink into the
+	# old location until all ebuilds and eclasses have been modified to
+	# use the new location.
+	dobin support/apxs
+	use split-usr && dosym ../bin/apxs /usr/sbin/apxs
+
+	# Note: wait for mod_systemd to be included in some forthcoming release,
+	# Then apache2.4.service can be used and systemd support controlled
+	# through --enable-systemd
+	systemd_newunit "${FILESDIR}/apache2.2-hardened.service" "apache2.service"
+	dotmpfiles "${FILESDIR}/apache.conf"
+	#insinto /etc/apache2/modules.d
+	#doins "${FILESDIR}/00_systemd.conf"
+
+	# Install http2 module config
+	insinto /etc/apache2/modules.d
+	doins "${FILESDIR}"/41_mod_http2.conf
+
+	# Fix path to apache libdir
+	sed "s|@LIBDIR@|$(get_libdir)|" -i "${ED}"/usr/sbin/apache2ctl || die
+}
+
+pkg_postinst() {
+	echo
+	ewarn "Downgrading to pre-GLEP 81 user for now."
+	ewarn "See bug #802495 and bug #803500 for more information."
+	ewarn ""
+	ewarn "You will need to run the following command to unlock the user:"
+	ewarn "usermod -e '' -U apache 2>/dev/null"
+	echo
+
+	apache-2_pkg_postinst || die "apache-2_pkg_postinst failed"
+
+	tmpfiles_process apache.conf #662544
+
+	# warnings that default config might not work out of the box
+	local mod cmod
+	for mod in ${MODULE_CRITICAL} ; do
+		if ! use "apache2_modules_${mod}"; then
+			echo
+			ewarn "Warning: Critical module not installed!"
+			ewarn "Modules 'authn_core', 'authz_core' and 'unixd'"
+			ewarn "are highly recomended but might not be in the base profile yet."
+			ewarn "Default config for ssl needs module 'socache_shmcb'."
+			ewarn "Enabling the following flags is highly recommended:"
+			for cmod in ${MODULE_CRITICAL} ; do
+				use "apache2_modules_${cmod}" || \
+					ewarn "+ apache2_modules_${cmod}"
+			done
+			echo
+			break
+		fi
+	done
+	# warning for proxy_balancer and missing load balancing scheduler
+	if use apache2_modules_proxy_balancer; then
+		local lbset=
+		for mod in lbmethod_byrequests lbmethod_bytraffic lbmethod_bybusyness lbmethod_heartbeat; do
+			if use "apache2_modules_${mod}"; then
+				lbset=1 && break
+			fi
+		done
+		if [[ ! ${lbset} ]] ; then
+			echo
+			ewarn "Info: Missing load balancing scheduler algorithm module"
+			ewarn "(They were split off from proxy_balancer in 2.3)"
+			ewarn "In order to get the ability of load balancing, at least"
+			ewarn "one of these modules has to be present:"
+			ewarn "lbmethod_byrequests lbmethod_bytraffic lbmethod_bybusyness lbmethod_heartbeat"
+			echo
+		fi
+	fi
+}

diff --git a/www-servers/apache/files/apache-2.4.54-no-which.patch b/www-servers/apache/files/apache-2.4.54-no-which.patch
new file mode 100644
index 000000000000..65764dfe022a
--- /dev/null
+++ b/www-servers/apache/files/apache-2.4.54-no-which.patch
@@ -0,0 +1,54 @@
+https://bugs.gentoo.org/844868
+https://bz.apache.org/bugzilla/show_bug.cgi?id=66130
+--- a/build/aix/buildaix.ksh
++++ b/build/aix/buildaix.ksh
+@@ -26,14 +26,14 @@ export CFLAGS='-O2 -qlanglvl=extc99'
+ lslpp -L bos.adt.insttools >/dev/null
+  [[ $? -ne 0 ]] && echo "must have bos.adt.insttools installed" && exit -1
+ 
+-apr_config=`which apr-1-config`
+-apu_config=`which apu-1-config`
++apr_config=`command -v apr-1-config 2>/dev/null`
++apu_config=`command -v apu-1-config 2>/dev/null`
+ 
+ if [[ -z ${apr_config} && -z ${apu_config} ]]
+ then
+ 	export PATH=/opt/bin:${PATH}
+-	apr_config=`which apr-1-config`
+-	apu_config=`which apu-1-config`
++	apr_config=`command -v apr-1-config 2>/dev/null`
++	apu_config=`command -v apu-1-config 2>/dev/null`
+ fi
+ 
+ while test $# -gt 0
+--- a/build/pkg/buildpkg.sh
++++ b/build/pkg/buildpkg.sh
+@@ -24,8 +24,8 @@ PREFIX=/usr/local/apache2
+ TEMPDIR=/var/tmp/$USER/httpd-root
+ rm -rf $TEMPDIR
+ 
+-apr_config=`which apr-1-config`
+-apu_config=`which apu-1-config`
++apr_config=`command -v apr-1-config 2>/dev/null`
++apu_config=`command -v apu-1-config 2>/dev/null`
+ 
+ while test $# -gt 0 
+ do
+--- a/configure.in
++++ b/configure.in
+@@ -216,13 +216,13 @@ AC_ARG_WITH(pcre,
+ APACHE_HELP_STRING(--with-pcre=PATH,Use external PCRE library))
+ if test "x$with_pcre" = "x" || test "$with_pcre" = "yes"; then
+   with_pcre="$PATH"
+-else if which $with_pcre 2>/dev/null; then :; else
++else if command -v $with_pcre 2>/dev/null; then :; else
+   with_pcre="$with_pcre/bin:$with_pcre"
+ fi
+ fi
+ 
+ AC_CHECK_TARGET_TOOLS(PCRE_CONFIG, [pcre2-config pcre-config],
+-                      [`which $with_pcre 2>/dev/null`], $with_pcre)
++                      [`command -v $with_pcre 2>/dev/null`], $with_pcre)
+ 
+ if test "x$PCRE_CONFIG" != "x"; then
+   if $PCRE_CONFIG --version >/dev/null 2>&1; then :; else


^ permalink raw reply related	[flat|nested] 15+ messages in thread
* [gentoo-commits] repo/gentoo:master commit in: www-servers/apache/, www-servers/apache/files/
@ 2021-11-16  4:06 Michael Orlitzky
  0 siblings, 0 replies; 15+ messages in thread
From: Michael Orlitzky @ 2021-11-16  4:06 UTC (permalink / raw
  To: gentoo-commits

commit:     6b014110c2dafa2f293384be74a40e9cb01e1924
Author:     Michael Orlitzky <mjo <AT> gentoo <DOT> org>
AuthorDate: Tue Nov 16 04:02:09 2021 +0000
Commit:     Michael Orlitzky <mjo <AT> gentoo <DOT> org>
CommitDate: Tue Nov 16 04:02:23 2021 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6b014110

www-servers/apache: new revision to unbreak mpm-itk.

This latest version of apache was stabilized with bug 816258 open,
affecting everyone who uses the itk MPM. Worse, all of the old ebuilds
were removed, leaving no working versions of apache in the tree for
anyone with an itk-based configuration. I've added an emergency patch,
backported from upstream trunk, to fix the issue, and will ask for
stabilization immediately.

Bug: https://bugs.gentoo.org/816258
Package-Manager: Portage-3.0.28, Repoman-3.0.3
Signed-off-by: Michael Orlitzky <mjo <AT> gentoo.org>

 www-servers/apache/apache-2.4.51-r1.ebuild         | 264 +++++++++++++++++++++
 .../apache/files/apache-2.4.51-mpm-itk.patch       |  34 +++
 2 files changed, 298 insertions(+)

diff --git a/www-servers/apache/apache-2.4.51-r1.ebuild b/www-servers/apache/apache-2.4.51-r1.ebuild
new file mode 100644
index 000000000000..e5121330aca5
--- /dev/null
+++ b/www-servers/apache/apache-2.4.51-r1.ebuild
@@ -0,0 +1,264 @@
+# Copyright 1999-2021 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=7
+
+# latest gentoo apache files
+GENTOO_PATCHSTAMP="20210212"
+GENTOO_DEVELOPER="polynomial-c"
+GENTOO_PATCHNAME="gentoo-apache-2.4.46-r6"
+
+# IUSE/USE_EXPAND magic
+IUSE_MPMS_FORK="prefork"
+IUSE_MPMS_THREAD="event worker"
+
+# << obsolete modules:
+# authn_default authz_default mem_cache
+# mem_cache is replaced by cache_disk
+# ?? buggy modules
+# proxy_scgi: startup error: undefined symbol "ap_proxy_release_connection", no fix found
+# >> added modules for reason:
+# compat: compatibility with 2.2 access control
+# authz_host: new module for access control
+# authn_core: functionality provided by authn_alias in previous versions
+# authz_core: new module, provides core authorization capabilities
+# cache_disk: replacement for mem_cache
+# lbmethod_byrequests: Split off from mod_proxy_balancer in 2.3
+# lbmethod_bytraffic: Split off from mod_proxy_balancer in 2.3
+# lbmethod_bybusyness: Split off from mod_proxy_balancer in 2.3
+# lbmethod_heartbeat: Split off from mod_proxy_balancer in 2.3
+# slotmem_shm: Slot-based shared memory provider (for lbmethod_byrequests).
+# socache_shmcb: shared object cache provider. Default config with ssl needs it
+# unixd: fixes startup error: Invalid command 'User'
+IUSE_MODULES="access_compat actions alias asis auth_basic auth_digest auth_form
+authn_alias authn_anon authn_core authn_dbd authn_dbm authn_file authn_socache authz_core
+authz_dbd authz_dbm authz_groupfile authz_host authz_owner authz_user autoindex
+brotli cache cache_disk cache_socache cern_meta charset_lite cgi cgid dav dav_fs dav_lock
+dbd deflate dir dumpio env expires ext_filter file_cache filter headers http2
+ident imagemap include info lbmethod_byrequests lbmethod_bytraffic lbmethod_bybusyness
+lbmethod_heartbeat log_config log_forensic logio lua macro md mime mime_magic negotiation
+proxy proxy_ajp proxy_balancer proxy_connect proxy_ftp proxy_html proxy_http proxy_scgi
+proxy_http2 proxy_fcgi proxy_uwsgi proxy_wstunnel rewrite ratelimit remoteip reqtimeout
+session session_cookie session_crypto session_dbd setenvif slotmem_shm speling
+socache_memcache socache_shmcb status substitute unique_id userdir usertrack
+unixd version vhost_alias watchdog xml2enc"
+# The following are also in the source as of this version, but are not available
+# for user selection:
+# bucketeer case_filter case_filter_in echo http isapi optional_fn_export
+# optional_fn_import optional_hook_export optional_hook_import
+
+# inter-module dependencies
+# TODO: this may still be incomplete
+MODULE_DEPENDS="
+	auth_form:session
+	brotli:filter
+	dav_fs:dav
+	dav_lock:dav
+	deflate:filter
+	cache_disk:cache
+	ext_filter:filter
+	file_cache:cache
+	lbmethod_byrequests:proxy_balancer
+	lbmethod_byrequests:slotmem_shm
+	lbmethod_bytraffic:proxy_balancer
+	lbmethod_bybusyness:proxy_balancer
+	lbmethod_heartbeat:proxy_balancer
+	log_forensic:log_config
+	logio:log_config
+	cache_disk:cache
+	cache_socache:cache
+	md:watchdog
+	mime_magic:mime
+	proxy_ajp:proxy
+	proxy_balancer:proxy
+	proxy_balancer:slotmem_shm
+	proxy_connect:proxy
+	proxy_ftp:proxy
+	proxy_html:proxy
+	proxy_html:xml2enc
+	proxy_http:proxy
+	proxy_http2:proxy
+	proxy_scgi:proxy
+	proxy_uwsgi:proxy
+	proxy_fcgi:proxy
+	proxy_wstunnel:proxy
+	session_cookie:session
+	session_dbd:dbd
+	session_dbd:session
+	socache_memcache:cache
+	substitute:filter
+"
+
+# module<->define mappings
+MODULE_DEFINES="
+	auth_digest:AUTH_DIGEST
+	authnz_ldap:AUTHNZ_LDAP
+	cache:CACHE
+	cache_disk:CACHE
+	cache_socache:CACHE
+	dav:DAV
+	dav_fs:DAV
+	dav_lock:DAV
+	file_cache:CACHE
+	http2:HTTP2
+	info:INFO
+	ldap:LDAP
+	lua:LUA
+	md:SSL
+	proxy:PROXY
+	proxy_ajp:PROXY
+	proxy_balancer:PROXY
+	proxy_connect:PROXY
+	proxy_ftp:PROXY
+	proxy_html:PROXY
+	proxy_http:PROXY
+	proxy_fcgi:PROXY
+	proxy_scgi:PROXY
+	proxy_wstunnel:PROXY
+	socache_shmcb:SSL
+	socache_memcache:CACHE
+	ssl:SSL
+	status:STATUS
+	suexec:SUEXEC
+	userdir:USERDIR
+"
+
+# critical modules for the default config
+MODULE_CRITICAL="
+	authn_core
+	authz_core
+	authz_host
+	dir
+	mime
+	unixd
+"
+inherit apache-2 systemd tmpfiles toolchain-funcs
+
+DESCRIPTION="The Apache Web Server"
+HOMEPAGE="https://httpd.apache.org/"
+
+# some helper scripts are Apache-1.1, thus both are here
+LICENSE="Apache-2.0 Apache-1.1"
+SLOT="2"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~amd64-linux ~x64-macos ~sparc64-solaris ~x64-solaris"
+
+# FIXME! Move this to eclass once all ebuilds are EAPI-7
+RDEPEND+=" apache2_modules_lua? ( ${LUA_DEPS} )"
+REQUIRED_USE+=" apache2_modules_lua? ( ${LUA_REQUIRED_USE} )"
+
+PATCHES=( "${FILESDIR}/apache-2.4.51-mpm-itk.patch" )
+
+pkg_setup() {
+	# dependend critical modules which are not allowed in global scope due
+	# to USE flag conditionals (bug #499260)
+	use ssl && MODULE_CRITICAL+=" socache_shmcb"
+	use doc && MODULE_CRITICAL+=" alias negotiation setenvif"
+	apache-2_pkg_setup
+}
+
+src_configure() {
+	# Brain dead check.
+	tc-is-cross-compiler && export ap_cv_void_ptr_lt_long="no"
+
+	apache-2_src_configure
+}
+
+src_compile() {
+	if tc-is-cross-compiler ; then
+		# This header is the same across targets, so use the build compiler.
+		pushd server >/dev/null
+		emake gen_test_char
+		tc-export_build_env BUILD_CC
+		${BUILD_CC} ${BUILD_CFLAGS} ${BUILD_CPPFLAGS} ${BUILD_LDFLAGS} \
+			gen_test_char.c -o gen_test_char $(apr-1-config --includes) || die
+		popd >/dev/null
+	fi
+
+	default
+}
+
+src_install() {
+	apache-2_src_install
+	local i
+	local apache_tools_prune_list=(
+		/usr/bin/{htdigest,logresolve,htpasswd,htdbm,ab,httxt2dbm}
+		/usr/sbin/{checkgid,fcgistarter,htcacheclean,rotatelogs}
+		/usr/share/man/man1/{logresolve.1,htdbm.1,htdigest.1,htpasswd.1,dbmmanage.1,ab.1}
+		/usr/share/man/man8/{rotatelogs.8,htcacheclean.8}
+	)
+	for i in ${apache_tools_prune_list[@]} ; do
+		rm "${ED}"/${i} || die "Failed to prune apache-tools bits"
+	done
+
+	# install apxs in /usr/bin (bug #502384) and put a symlink into the
+	# old location until all ebuilds and eclasses have been modified to
+	# use the new location.
+	dobin support/apxs
+	use split-usr && dosym ../bin/apxs /usr/sbin/apxs
+
+	# Note: wait for mod_systemd to be included in some forthcoming release,
+	# Then apache2.4.service can be used and systemd support controlled
+	# through --enable-systemd
+	systemd_newunit "${FILESDIR}/apache2.2-hardened.service" "apache2.service"
+	dotmpfiles "${FILESDIR}/apache.conf"
+	#insinto /etc/apache2/modules.d
+	#doins "${FILESDIR}/00_systemd.conf"
+
+	# Install http2 module config
+	insinto /etc/apache2/modules.d
+	doins "${FILESDIR}"/41_mod_http2.conf
+
+	# Fix path to apache libdir
+	sed "s|@LIBDIR@|$(get_libdir)|" -i "${ED}"/usr/sbin/apache2ctl || die
+}
+
+pkg_postinst() {
+	echo
+	ewarn "Downgrading to pre-GLEP 81 user for now."
+	ewarn "See bug #802495 and bug #803500 for more information."
+	ewarn ""
+	ewarn "You will need to run the following command to unlock the user:"
+	ewarn "usermod -e '' -U apache 2>/dev/null"
+	echo
+
+	apache-2_pkg_postinst || die "apache-2_pkg_postinst failed"
+
+	tmpfiles_process apache.conf #662544
+
+	# warnings that default config might not work out of the box
+	local mod cmod
+	for mod in ${MODULE_CRITICAL} ; do
+		if ! use "apache2_modules_${mod}"; then
+			echo
+			ewarn "Warning: Critical module not installed!"
+			ewarn "Modules 'authn_core', 'authz_core' and 'unixd'"
+			ewarn "are highly recomended but might not be in the base profile yet."
+			ewarn "Default config for ssl needs module 'socache_shmcb'."
+			ewarn "Enabling the following flags is highly recommended:"
+			for cmod in ${MODULE_CRITICAL} ; do
+				use "apache2_modules_${cmod}" || \
+					ewarn "+ apache2_modules_${cmod}"
+			done
+			echo
+			break
+		fi
+	done
+	# warning for proxy_balancer and missing load balancing scheduler
+	if use apache2_modules_proxy_balancer; then
+		local lbset=
+		for mod in lbmethod_byrequests lbmethod_bytraffic lbmethod_bybusyness lbmethod_heartbeat; do
+			if use "apache2_modules_${mod}"; then
+				lbset=1 && break
+			fi
+		done
+		if [[ ! ${lbset} ]] ; then
+			echo
+			ewarn "Info: Missing load balancing scheduler algorithm module"
+			ewarn "(They were split off from proxy_balancer in 2.3)"
+			ewarn "In order to get the ability of load balancing, at least"
+			ewarn "one of these modules has to be present:"
+			ewarn "lbmethod_byrequests lbmethod_bytraffic lbmethod_bybusyness lbmethod_heartbeat"
+			echo
+		fi
+	fi
+}

diff --git a/www-servers/apache/files/apache-2.4.51-mpm-itk.patch b/www-servers/apache/files/apache-2.4.51-mpm-itk.patch
new file mode 100644
index 000000000000..4d36fe03dffb
--- /dev/null
+++ b/www-servers/apache/files/apache-2.4.51-mpm-itk.patch
@@ -0,0 +1,34 @@
+Backport of upstream r1894171 to fix segfaults with mpm-itk.
+
+https://bugs.gentoo.org/816258
+https://bz.apache.org/bugzilla/show_bug.cgi?id=65627
+
+--- a/server/connection.c	2021/09/21 20:03:52	1893497
++++ b/server/connection.c	2021/10/12 16:48:18	1894171
+@@ -145,9 +145,7 @@
+ {
+     apr_socket_t *csd = ap_get_conn_socket(c);
+ 
+-    if (!csd) {
+-        return 1;
+-    }
++    ap_assert(csd != NULL);
+ 
+     if (ap_prep_lingering_close(c)) {
+         return 1;
+@@ -178,6 +176,15 @@
+     apr_time_t now, timeup = 0;
+     apr_socket_t *csd = ap_get_conn_socket(c);
+ 
++    if (!csd) {
++        /* Be safe with third-party modules that:
++         *   ap_set_core_module_config(c->conn_config, NULL)
++         * to no-op ap_lingering_close().
++         */
++        c->aborted = 1;
++        return;
++    }
++
+     if (ap_start_lingering_close(c)) {
+         apr_socket_close(csd);
+         return;


^ permalink raw reply related	[flat|nested] 15+ messages in thread
* [gentoo-commits] repo/gentoo:master commit in: www-servers/apache/, www-servers/apache/files/
@ 2021-05-01 18:07 Sam James
  0 siblings, 0 replies; 15+ messages in thread
From: Sam James @ 2021-05-01 18:07 UTC (permalink / raw
  To: gentoo-commits

commit:     2cce81cc33feb86c57342c36c94736c0fa5039ff
Author:     Sam James <sam <AT> gentoo <DOT> org>
AuthorDate: Sat May  1 17:38:07 2021 +0000
Commit:     Sam James <sam <AT> gentoo <DOT> org>
CommitDate: Sat May  1 18:06:27 2021 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2cce81cc

www-servers/apache: drop obsolete LibreSSL patch

Signed-off-by: Sam James <sam <AT> gentoo.org>

 www-servers/apache/apache-2.4.46-r6.ebuild         |  4 ----
 www-servers/apache/apache-2.4.46.ebuild            |  4 ----
 www-servers/apache/apache-2.4.47.ebuild            |  4 ----
 .../apache/files/apache-2.4.41-libressl.patch      | 27 ----------------------
 4 files changed, 39 deletions(-)

diff --git a/www-servers/apache/apache-2.4.46-r6.ebuild b/www-servers/apache/apache-2.4.46-r6.ebuild
index c4b85183a2b..7343e87cea3 100644
--- a/www-servers/apache/apache-2.4.46-r6.ebuild
+++ b/www-servers/apache/apache-2.4.46-r6.ebuild
@@ -145,10 +145,6 @@ KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~s390 ~sparc ~
 RDEPEND+=" apache2_modules_lua? ( ${LUA_DEPS} )"
 REQUIRED_USE+=" apache2_modules_lua? ( ${LUA_REQUIRED_USE} )"
 
-PATCHES=(
-	"${FILESDIR}/${PN}-2.4.41-libressl.patch" #668060
-)
-
 pkg_setup() {
 	# dependend critical modules which are not allowed in global scope due
 	# to USE flag conditionals (bug #499260)

diff --git a/www-servers/apache/apache-2.4.46.ebuild b/www-servers/apache/apache-2.4.46.ebuild
index 1f2646bf81e..95d53cb994d 100644
--- a/www-servers/apache/apache-2.4.46.ebuild
+++ b/www-servers/apache/apache-2.4.46.ebuild
@@ -138,10 +138,6 @@ LICENSE="Apache-2.0 Apache-1.1"
 SLOT="2"
 KEYWORDS="~alpha amd64 arm arm64 ~hppa ~ia64 ~mips ppc ppc64 ~s390 sparc x86 ~amd64-linux ~x64-macos ~sparc64-solaris ~x64-solaris"
 
-PATCHES=(
-	"${FILESDIR}/${PN}-2.4.41-libressl.patch" #668060
-)
-
 pkg_setup() {
 	# dependend critical modules which are not allowed in global scope due
 	# to USE flag conditionals (bug #499260)

diff --git a/www-servers/apache/apache-2.4.47.ebuild b/www-servers/apache/apache-2.4.47.ebuild
index c4b85183a2b..7343e87cea3 100644
--- a/www-servers/apache/apache-2.4.47.ebuild
+++ b/www-servers/apache/apache-2.4.47.ebuild
@@ -145,10 +145,6 @@ KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~s390 ~sparc ~
 RDEPEND+=" apache2_modules_lua? ( ${LUA_DEPS} )"
 REQUIRED_USE+=" apache2_modules_lua? ( ${LUA_REQUIRED_USE} )"
 
-PATCHES=(
-	"${FILESDIR}/${PN}-2.4.41-libressl.patch" #668060
-)
-
 pkg_setup() {
 	# dependend critical modules which are not allowed in global scope due
 	# to USE flag conditionals (bug #499260)

diff --git a/www-servers/apache/files/apache-2.4.41-libressl.patch b/www-servers/apache/files/apache-2.4.41-libressl.patch
deleted file mode 100644
index 86a1a7d0236..00000000000
--- a/www-servers/apache/files/apache-2.4.41-libressl.patch
+++ /dev/null
@@ -1,27 +0,0 @@
-From d446b977f28ec79fffc2d2b45c671e037b709f19 Mon Sep 17 00:00:00 2001
-From: Stefan Strogin <steils@gentoo.org>
-Date: Wed, 28 Aug 2019 02:15:42 +0300
-Subject: [PATCH] mod_ssl: fix compilation with LibreSSL
-
-Upstream-Status: Submitted [https://github.com/apache/httpd/pull/64]
-Signed-off-by: Stefan Strogin <steils@gentoo.org>
----
- modules/ssl/ssl_engine_init.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c
-index f54c922fc7..646c903fea 100644
---- a/modules/ssl/ssl_engine_init.c
-+++ b/modules/ssl/ssl_engine_init.c
-@@ -1512,7 +1512,7 @@ static apr_status_t ssl_init_proxy_certs(server_rec *s,
-     X509_STORE_CTX *sctx;
-     X509_STORE *store = SSL_CTX_get_cert_store(mctx->ssl_ctx);
- 
--#if OPENSSL_VERSION_NUMBER >= 0x1010100fL
-+#if OPENSSL_VERSION_NUMBER >= 0x1010100fL && !defined(LIBRESSL_VERSION_NUMBER)
-     /* For OpenSSL >=1.1.1, turn on client cert support which is
-      * otherwise turned off by default (by design).
-      * https://github.com/openssl/openssl/issues/6933 */
--- 
-2.23.0
-


^ permalink raw reply related	[flat|nested] 15+ messages in thread
* [gentoo-commits] repo/gentoo:master commit in: www-servers/apache/, www-servers/apache/files/
@ 2019-12-10 15:00 Lars Wendler
  0 siblings, 0 replies; 15+ messages in thread
From: Lars Wendler @ 2019-12-10 15:00 UTC (permalink / raw
  To: gentoo-commits

commit:     872597ae0890e11ac15718f655935f1b0c9e0dbd
Author:     Lars Wendler <polynomial-c <AT> gentoo <DOT> org>
AuthorDate: Tue Dec 10 14:58:08 2019 +0000
Commit:     Lars Wendler <polynomial-c <AT> gentoo <DOT> org>
CommitDate: Tue Dec 10 14:58:08 2019 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=872597ae

www-servers/apache: 2.2 removal

Bug: https://bugs.gentoo.org/692088
Package-Manager: Portage-2.3.81, Repoman-2.3.20
Signed-off-by: Lars Wendler <polynomial-c <AT> gentoo.org>

 www-servers/apache/Manifest                |   2 -
 www-servers/apache/apache-2.2.34.ebuild    | 114 -----------------------------
 www-servers/apache/files/apache2.2.service |  19 -----
 3 files changed, 135 deletions(-)

diff --git a/www-servers/apache/Manifest b/www-servers/apache/Manifest
index b93ba5f41cd..bad25e94a30 100644
--- a/www-servers/apache/Manifest
+++ b/www-servers/apache/Manifest
@@ -1,4 +1,2 @@
-DIST gentoo-apache-2.2.34-20170918.tar.bz2 64390 BLAKE2B d3f6d85192706d7c49a38cc36e816b3ae531f8c0d42111c33ec32ed39900d36d8a2a85a5d1b5afca22331137f04fb24fb424a42a21caa7eb4f6906fa39cb8224 SHA512 10b42e50dcc196f60bcaefe90c382d62a61339dd8a56e899d6afb6998be4acdd376e2c3509791f22a0acf99d06add497e32703b6d523f640306a6db5e05f358a
 DIST gentoo-apache-2.4.39-20190402.tar.bz2 25491 BLAKE2B ce230b07ec156048c7d7c1eb4b0e732fa6140f55d136e317714591327bde3f85bab7780424e6eef04b7a4518cbdcfdddcbc094409f4ca19ffea1ce967bdf7cf1 SHA512 bc0ffa20cffd9a89c2ea64420fa2243d77e97d7922bcd0b387a7fcfcc3c6908a056972b499a81344f7c3e3e19b55ffc300fd034c54b287f4f32d8931bd50cde4
-DIST httpd-2.2.34.tar.bz2 5779739 BLAKE2B 8cdd41fb5d1880da4a1cfef252b4682f613b938594057ea4c9665d3881a50b298fb7339c1ceb3dafc215aa927048f99d500f2d29c125016d5766954be9b632b4 SHA512 e6dac5865a48533c025fe17523ee74d68c3a23f9512c9441b78a140e33cfb6835573eb049b0ad424eb5c5ca78a1915778c54e8a409da95fbdd3890cb99e08240
 DIST httpd-2.4.41.tar.bz2 7072373 BLAKE2B 88a2390736209d5ef04bffcb867bc8d6019302885e6f3cc63d18123336d4d0657252105a3bfebf4e91b8daa02119d4a61f4c0a9702244858a3193ec6cf681c0f SHA512 350cc7dcd2c439e0590338fa6da3f44df44f9bb885c381e91f91b14c2f48597f6f0bbac0ea118a8a67eaa70ae7edbb769beace368643ed73f6daee44c307b335

diff --git a/www-servers/apache/apache-2.2.34.ebuild b/www-servers/apache/apache-2.2.34.ebuild
deleted file mode 100644
index a9cf7b2ceb3..00000000000
--- a/www-servers/apache/apache-2.2.34.ebuild
+++ /dev/null
@@ -1,114 +0,0 @@
-# Copyright 1999-2018 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI=5
-
-# latest gentoo apache files
-GENTOO_PATCHSTAMP="20170918"
-GENTOO_DEVELOPER="whissi"
-GENTOO_PATCHNAME="gentoo-apache-2.2.34"
-
-# IUSE/USE_EXPAND magic
-IUSE_MPMS_FORK="itk peruser prefork"
-IUSE_MPMS_THREAD="event worker"
-
-IUSE_MODULES="actions alias asis auth_basic auth_digest authn_alias authn_anon
-authn_dbd authn_dbm authn_default authn_file authz_dbm authz_default
-authz_groupfile authz_host authz_owner authz_user autoindex cache cern_meta
-charset_lite cgi cgid dav dav_fs dav_lock dbd deflate dir disk_cache dumpio
-env expires ext_filter file_cache filter headers ident imagemap include info
-log_config log_forensic logio mem_cache mime mime_magic negotiation proxy
-proxy_ajp proxy_balancer proxy_connect proxy_ftp proxy_http proxy_scgi rewrite
-reqtimeout setenvif speling status substitute unique_id userdir usertrack
-version vhost_alias"
-# The following are also in the source as of this version, but are not available
-# for user selection:
-# bucketeer case_filter case_filter_in echo http isapi optional_fn_export
-# optional_fn_import optional_hook_export optional_hook_import
-
-# inter-module dependencies
-# TODO: this may still be incomplete
-MODULE_DEPENDS="
-	dav_fs:dav
-	dav_lock:dav
-	deflate:filter
-	disk_cache:cache
-	ext_filter:filter
-	file_cache:cache
-	log_forensic:log_config
-	logio:log_config
-	mem_cache:cache
-	mime_magic:mime
-	proxy_ajp:proxy
-	proxy_balancer:proxy
-	proxy_connect:proxy
-	proxy_ftp:proxy
-	proxy_http:proxy
-	proxy_scgi:proxy
-	substitute:filter
-"
-
-# module<->define mappings
-MODULE_DEFINES="
-	auth_digest:AUTH_DIGEST
-	authnz_ldap:AUTHNZ_LDAP
-	cache:CACHE
-	dav:DAV
-	dav_fs:DAV
-	dav_lock:DAV
-	disk_cache:CACHE
-	file_cache:CACHE
-	info:INFO
-	ldap:LDAP
-	mem_cache:CACHE
-	proxy:PROXY
-	proxy_ajp:PROXY
-	proxy_balancer:PROXY
-	proxy_connect:PROXY
-	proxy_ftp:PROXY
-	proxy_http:PROXY
-	ssl:SSL
-	status:STATUS
-	suexec:SUEXEC
-	userdir:USERDIR
-"
-
-# critical modules for the default config
-MODULE_CRITICAL="
-	authz_host
-	dir
-	mime
-"
-
-inherit apache-2 systemd toolchain-funcs
-
-DESCRIPTION="The Apache Web Server"
-HOMEPAGE="https://httpd.apache.org/"
-
-# some helper scripts are Apache-1.1, thus both are here
-LICENSE="Apache-2.0 Apache-1.1"
-SLOT="2"
-KEYWORDS="alpha amd64 arm ~arm64 hppa ia64 ~mips ppc ppc64 ~s390 ~sh sparc x86"
-IUSE=""
-
-src_configure() {
-	# Brain dead check.
-	tc-is-cross-compiler && export ap_cv_void_ptr_lt_long="no"
-
-	apache-2_src_configure
-}
-
-src_install() {
-	apache-2_src_install
-
-	# install apxs in /usr/bin (bug #502384) and put a symlink into the
-	# old location until all ebuilds and eclasses have been modified to
-	# use the new location.
-	local apxs_dir="/usr/bin"
-	dodir ${apxs_dir}
-	mv "${D}"/usr/sbin/apxs "${D}"${apxs_dir} || die
-	ln -s ../bin/apxs "${D}"/usr/sbin/apxs || die
-
-	systemd_newunit "${FILESDIR}/apache2.2.service" "apache2.service"
-	systemd_dotmpfilesd "${FILESDIR}/apache.conf"
-}

diff --git a/www-servers/apache/files/apache2.2.service b/www-servers/apache/files/apache2.2.service
deleted file mode 100644
index 76f783a423b..00000000000
--- a/www-servers/apache/files/apache2.2.service
+++ /dev/null
@@ -1,19 +0,0 @@
-[Unit]
-Description=The Apache HTTP Server
-After=network.target remote-fs.target nss-lookup.target
-
-[Service]
-EnvironmentFile=/etc/conf.d/apache2
-ExecStart=/usr/sbin/apache2 $APACHE2_OPTS -DFOREGROUND
-ExecReload=/usr/sbin/apache2 $APACHE2_OPTS -k graceful
-ExecStop=/usr/sbin/apache2 $APACHE2_OPTS -k graceful-stop
-# We want systemd to give httpd some time to finish gracefully, but still want
-# it to kill httpd after TimeoutStopSec if something went wrong during the
-# graceful stop. Normally, Systemd sends SIGTERM signal right after the
-# ExecStop, which would kill httpd. We are sending useless SIGCONT here to give
-# httpd time to finish.
-KillSignal=SIGCONT
-PrivateTmp=true
-
-[Install]
-WantedBy=multi-user.target


^ permalink raw reply related	[flat|nested] 15+ messages in thread
* [gentoo-commits] repo/gentoo:master commit in: www-servers/apache/, www-servers/apache/files/
@ 2019-04-21  2:14 Lars Wendler
  0 siblings, 0 replies; 15+ messages in thread
From: Lars Wendler @ 2019-04-21  2:14 UTC (permalink / raw
  To: gentoo-commits

commit:     a4fa77e074b321d4bf55c3eab587daed8227cac6
Author:     Lars Wendler <polynomial-c <AT> gentoo <DOT> org>
AuthorDate: Sun Apr 21 02:13:51 2019 +0000
Commit:     Lars Wendler <polynomial-c <AT> gentoo <DOT> org>
CommitDate: Sun Apr 21 02:13:51 2019 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a4fa77e0

www-servers/apache: Security cleanup

Bug: https://bugs.gentoo.org/682306
Package-Manager: Portage-2.3.64, Repoman-2.3.12
Signed-off-by: Lars Wendler <polynomial-c <AT> gentoo.org>

 www-servers/apache/Manifest                        |   4 -
 www-servers/apache/apache-2.4.34-r2.ebuild         | 262 ---------------------
 www-servers/apache/apache-2.4.38-r1.ebuild         | 257 --------------------
 .../apache/files/apache-2.4.34-PR62557.patch       | 216 -----------------
 .../apache-2.4.34-suexec_parallel_install.patch    |  19 --
 5 files changed, 758 deletions(-)

diff --git a/www-servers/apache/Manifest b/www-servers/apache/Manifest
index 5e988a0e24a..ed95ede81d6 100644
--- a/www-servers/apache/Manifest
+++ b/www-servers/apache/Manifest
@@ -1,8 +1,4 @@
 DIST gentoo-apache-2.2.34-20170918.tar.bz2 64390 BLAKE2B d3f6d85192706d7c49a38cc36e816b3ae531f8c0d42111c33ec32ed39900d36d8a2a85a5d1b5afca22331137f04fb24fb424a42a21caa7eb4f6906fa39cb8224 SHA512 10b42e50dcc196f60bcaefe90c382d62a61339dd8a56e899d6afb6998be4acdd376e2c3509791f22a0acf99d06add497e32703b6d523f640306a6db5e05f358a
-DIST gentoo-apache-2.4.34-20180716.tar.bz2 24773 BLAKE2B 6ff3b711e16a0156f8c5da4c5ee830a6e3d55b1f29c44a81be26decf6611e2680c84ec7779372bc0de775f3aff90fdaec48f5bc7253c8c9317c1308b60bf10e3 SHA512 4b96c2c7cad0aeef070584b64396360acb2ec24139a5af4755fc36b1f3cd2b82b213ebbfc45035f61c49b59ba40870930227b42e0b60042fd1147f34ba5df574
-DIST gentoo-apache-2.4.38-20190226.tar.bz2 24810 BLAKE2B 31dc4363c7bdb3dd49287da405541b73e31f251b1b31ecfdffd066a3cd6b838938acf7326a7963a05693e20d6dc34e71223efd1ecd5062a25829d6f6f4721595 SHA512 3dbddedab74e4326b53a9ec3daeb53d727c2789736ae3234d127ccffe873541bd7baa26d5cf9ed064b6e4125fd5a2baee97bccb81e67fdc5674cffe81ca93c40
 DIST gentoo-apache-2.4.39-20190402.tar.bz2 25491 BLAKE2B ce230b07ec156048c7d7c1eb4b0e732fa6140f55d136e317714591327bde3f85bab7780424e6eef04b7a4518cbdcfdddcbc094409f4ca19ffea1ce967bdf7cf1 SHA512 bc0ffa20cffd9a89c2ea64420fa2243d77e97d7922bcd0b387a7fcfcc3c6908a056972b499a81344f7c3e3e19b55ffc300fd034c54b287f4f32d8931bd50cde4
 DIST httpd-2.2.34.tar.bz2 5779739 BLAKE2B 8cdd41fb5d1880da4a1cfef252b4682f613b938594057ea4c9665d3881a50b298fb7339c1ceb3dafc215aa927048f99d500f2d29c125016d5766954be9b632b4 SHA512 e6dac5865a48533c025fe17523ee74d68c3a23f9512c9441b78a140e33cfb6835573eb049b0ad424eb5c5ca78a1915778c54e8a409da95fbdd3890cb99e08240
-DIST httpd-2.4.34.tar.bz2 6942969 BLAKE2B 02ecb9980f48bef7ac915077598560353e0682001bdaa99410b7faad459c4581f8d0878b4840e38e570b1872d549d58743260cb3030c145ae93bef97fc692cc4 SHA512 2bc09213f08a4722e305929fbac5f5060c7a8444704494894bb9b61f17e4d20bb6e3d663bb93fc5b2030b04a43fb12373d260cc291422b210b299725aaf3b5c8
-DIST httpd-2.4.38.tar.bz2 7035030 BLAKE2B 52d965b0eae3402c268f1c5f5fb669ad84408699871d0518ba254c6e7c00f2198cba8cb6106114a62f0f6de67e0a8b921b5783af9530d165ed4d435312ce5164 SHA512 8bdc36fa2bd13fd83feee17fdce4a5316ed8f96c1ac32b636ba106572ba257815438c72068d2d0e900783a3fa25c90a5da34c3f83fc2c04a1dbdbf234f7ad448
 DIST httpd-2.4.39.tar.bz2 7030539 BLAKE2B 1e378833efb9bbdd6fdc277a779620a08752d064524489f9ad747cf85350fbb6ad65f57b30c81d57273cd6693d8a2c4e988f5a2c42bd5c9c538b305b9b7719e8 SHA512 9742202040b3dc6344b301540f54b2d3f8e36898410d24206a7f8dcecb1bea7d7230fabc7256752724558af249facf64bffe2cf678b8f7cccb64076737abfda7

diff --git a/www-servers/apache/apache-2.4.34-r2.ebuild b/www-servers/apache/apache-2.4.34-r2.ebuild
deleted file mode 100644
index 7951d9793d5..00000000000
--- a/www-servers/apache/apache-2.4.34-r2.ebuild
+++ /dev/null
@@ -1,262 +0,0 @@
-# Copyright 1999-2018 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI=6
-
-# latest gentoo apache files
-GENTOO_PATCHSTAMP="20180716"
-GENTOO_DEVELOPER="polynomial-c"
-GENTOO_PATCHNAME="gentoo-apache-2.4.34"
-
-# IUSE/USE_EXPAND magic
-IUSE_MPMS_FORK="prefork"
-IUSE_MPMS_THREAD="event worker"
-
-# << obsolete modules:
-# authn_default authz_default mem_cache
-# mem_cache is replaced by cache_disk
-# ?? buggy modules
-# proxy_scgi: startup error: undefined symbol "ap_proxy_release_connection", no fix found
-# >> added modules for reason:
-# compat: compatibility with 2.2 access control
-# authz_host: new module for access control
-# authn_core: functionality provided by authn_alias in previous versions
-# authz_core: new module, provides core authorization capabilities
-# cache_disk: replacement for mem_cache
-# lbmethod_byrequests: Split off from mod_proxy_balancer in 2.3
-# lbmethod_bytraffic: Split off from mod_proxy_balancer in 2.3
-# lbmethod_bybusyness: Split off from mod_proxy_balancer in 2.3
-# lbmethod_heartbeat: Split off from mod_proxy_balancer in 2.3
-# slotmem_shm: Slot-based shared memory provider (for lbmethod_byrequests).
-# socache_shmcb: shared object cache provider. Default config with ssl needs it
-# unixd: fixes startup error: Invalid command 'User'
-IUSE_MODULES="access_compat actions alias asis auth_basic auth_digest
-authn_alias authn_anon authn_core authn_dbd authn_dbm authn_file authz_core
-authz_dbd authz_dbm authz_groupfile authz_host authz_owner authz_user autoindex
-brotli cache cache_disk cache_socache cern_meta charset_lite cgi cgid dav dav_fs dav_lock
-dbd deflate dir dumpio env expires ext_filter file_cache filter headers http2
-ident imagemap include info lbmethod_byrequests lbmethod_bytraffic lbmethod_bybusyness
-lbmethod_heartbeat log_config log_forensic logio macro md mime mime_magic negotiation
-proxy proxy_ajp proxy_balancer proxy_connect proxy_ftp proxy_html proxy_http proxy_scgi
-proxy_fcgi  proxy_wstunnel rewrite ratelimit remoteip reqtimeout setenvif
-slotmem_shm speling socache_shmcb status substitute unique_id userdir usertrack
-unixd version vhost_alias watchdog xml2enc"
-# The following are also in the source as of this version, but are not available
-# for user selection:
-# bucketeer case_filter case_filter_in echo http isapi optional_fn_export
-# optional_fn_import optional_hook_export optional_hook_import
-
-# inter-module dependencies
-# TODO: this may still be incomplete
-MODULE_DEPENDS="
-	brotli:filter
-	dav_fs:dav
-	dav_lock:dav
-	deflate:filter
-	cache_disk:cache
-	ext_filter:filter
-	file_cache:cache
-	lbmethod_byrequests:proxy_balancer
-	lbmethod_byrequests:slotmem_shm
-	lbmethod_bytraffic:proxy_balancer
-	lbmethod_bybusyness:proxy_balancer
-	lbmethod_heartbeat:proxy_balancer
-	log_forensic:log_config
-	logio:log_config
-	cache_disk:cache
-	cache_socache:cache
-	md:watchdog
-	mime_magic:mime
-	proxy_ajp:proxy
-	proxy_balancer:proxy
-	proxy_balancer:slotmem_shm
-	proxy_connect:proxy
-	proxy_ftp:proxy
-	proxy_html:proxy
-	proxy_html:xml2enc
-	proxy_http:proxy
-	proxy_scgi:proxy
-	proxy_fcgi:proxy
-	proxy_wstunnel:proxy
-	substitute:filter
-"
-
-# module<->define mappings
-MODULE_DEFINES="
-	auth_digest:AUTH_DIGEST
-	authnz_ldap:AUTHNZ_LDAP
-	cache:CACHE
-	cache_disk:CACHE
-	cache_socache:CACHE
-	dav:DAV
-	dav_fs:DAV
-	dav_lock:DAV
-	file_cache:CACHE
-	http2:HTTP2
-	info:INFO
-	ldap:LDAP
-	md:SSL
-	proxy:PROXY
-	proxy_ajp:PROXY
-	proxy_balancer:PROXY
-	proxy_connect:PROXY
-	proxy_ftp:PROXY
-	proxy_html:PROXY
-	proxy_http:PROXY
-	proxy_fcgi:PROXY
-	proxy_scgi:PROXY
-	proxy_wstunnel:PROXY
-	socache_shmcb:SSL
-	ssl:SSL
-	status:STATUS
-	suexec:SUEXEC
-	userdir:USERDIR
-"
-
-# critical modules for the default config
-MODULE_CRITICAL="
-	authn_core
-	authz_core
-	authz_host
-	dir
-	mime
-	unixd
-"
-inherit apache-2 systemd tmpfiles toolchain-funcs
-
-DESCRIPTION="The Apache Web Server"
-HOMEPAGE="https://httpd.apache.org/"
-
-# some helper scripts are Apache-1.1, thus both are here
-LICENSE="Apache-2.0 Apache-1.1"
-SLOT="2"
-KEYWORDS="alpha amd64 arm ~arm64 ~hppa ia64 ~mips ppc ppc64 ~s390 ~sh sparc x86 ~amd64-linux ~x64-macos ~x86-macos ~m68k-mint ~sparc64-solaris ~x64-solaris"
-
-# Enable http2 by default (bug #563452)
-# FIXME: Move to apache-2.eclass once this has reached stable.
-IUSE="${IUSE/apache2_modules_http2/+apache2_modules_http2}"
-# New suexec options (since 2.4.34)
-IUSE="${IUSE} +suexec-caps suexec-syslog"
-
-CDEPEND="apache2_modules_brotli? ( >=app-arch/brotli-0.6.0:= )
-	apache2_modules_http2? ( >=net-libs/nghttp2-1.2.1 )
-	apache2_modules_md? ( >=dev-libs/jansson-2.10 )"
-
-DEPEND+="${CDEPEND}
-	suexec? ( suexec-caps? ( sys-libs/libcap ) )"
-RDEPEND+="${CDEPEND}"
-
-REQUIRED_USE="apache2_modules_http2? ( ssl )
-	apache2_modules_md? ( ssl )"
-
-PATCHES=(
-	"${FILESDIR}/${PN}-2.4.34-suexec_parallel_install.patch" #661358
-	"${FILESDIR}"/${P}-PR62557.patch #663312
-)
-
-pkg_setup() {
-	# dependend critical modules which are not allowed in global scope due
-	# to USE flag conditionals (bug #499260)
-	use ssl && MODULE_CRITICAL+=" socache_shmcb"
-	use doc && MODULE_CRITICAL+=" alias negotiation setenvif"
-	apache-2_pkg_setup
-}
-
-src_configure() {
-	# Brain dead check.
-	tc-is-cross-compiler && export ap_cv_void_ptr_lt_long="no"
-
-	apache-2_src_configure
-}
-
-src_compile() {
-	if tc-is-cross-compiler; then
-		# This header is the same across targets, so use the build compiler.
-		pushd server >/dev/null
-		emake gen_test_char
-		tc-export_build_env BUILD_CC
-		${BUILD_CC} ${BUILD_CFLAGS} ${BUILD_CPPFLAGS} ${BUILD_LDFLAGS} \
-			gen_test_char.c -o gen_test_char $(apr-1-config --includes) || die
-		popd >/dev/null
-	fi
-
-	default
-}
-
-src_install() {
-	apache-2_src_install
-	local i
-	local apache_tools_prune_list=(
-		/usr/bin/{htdigest,logresolve,htpasswd,htdbm,ab,httxt2dbm}
-		/usr/sbin/{checkgid,fcgistarter,htcacheclean,rotatelogs}
-		/usr/share/man/man1/{logresolve.1,htdbm.1,htdigest.1,htpasswd.1,dbmmanage.1,ab.1}
-		/usr/share/man/man8/{rotatelogs.8,htcacheclean.8}
-	)
-	for i in ${apache_tools_prune_list[@]} ; do
-		rm "${ED%/}"/$i || die "Failed to prune apache-tools bits"
-	done
-
-	# install apxs in /usr/bin (bug #502384) and put a symlink into the
-	# old location until all ebuilds and eclasses have been modified to
-	# use the new location.
-	dobin support/apxs
-	dosym ../bin/apxs /usr/sbin/apxs
-
-	# Note: wait for mod_systemd to be included in some forthcoming release,
-	# Then apache2.4.service can be used and systemd support controlled
-	# through --enable-systemd
-	systemd_newunit "${FILESDIR}/apache2.2-hardened.service" "apache2.service"
-	systemd_dotmpfilesd "${FILESDIR}/apache.conf"
-	#insinto /etc/apache2/modules.d
-	#doins "${FILESDIR}/00_systemd.conf"
-
-	# Install http2 module config
-	insinto /etc/apache2/modules.d
-	doins "${FILESDIR}"/41_mod_http2.conf
-
-	# Fix path to apache libdir
-	sed "s|@LIBDIR@|$(get_libdir)|" -i "${ED%/}"/usr/sbin/apache2ctl || die
-}
-
-pkg_postinst() {
-	apache-2_pkg_postinst || die "apache-2_pkg_postinst failed"
-
-	tmpfiles_process apache.conf #662544
-
-	# warnings that default config might not work out of the box
-	local mod cmod
-	for mod in ${MODULE_CRITICAL} ; do
-		if ! use "apache2_modules_${mod}"; then
-			echo
-			ewarn "Warning: Critical module not installed!"
-			ewarn "Modules 'authn_core', 'authz_core' and 'unixd'"
-			ewarn "are highly recomended but might not be in the base profile yet."
-			ewarn "Default config for ssl needs module 'socache_shmcb'."
-			ewarn "Enabling the following flags is highly recommended:"
-			for cmod in ${MODULE_CRITICAL} ; do
-				use "apache2_modules_${cmod}" || \
-					ewarn "+ apache2_modules_${cmod}"
-			done
-			echo
-			break
-		fi
-	done
-	# warning for proxy_balancer and missing load balancing scheduler
-	if use apache2_modules_proxy_balancer; then
-		local lbset=
-		for mod in lbmethod_byrequests lbmethod_bytraffic lbmethod_bybusyness lbmethod_heartbeat; do
-			if use "apache2_modules_${mod}"; then
-				lbset=1 && break
-			fi
-		done
-		if [ ! ${lbset} ] ; then
-			echo
-			ewarn "Info: Missing load balancing scheduler algorithm module"
-			ewarn "(They were split off from proxy_balancer in 2.3)"
-			ewarn "In order to get the ability of load balancing, at least"
-			ewarn "one of these modules has to be present:"
-			ewarn "lbmethod_byrequests lbmethod_bytraffic lbmethod_bybusyness lbmethod_heartbeat"
-			echo
-		fi
-	fi
-}

diff --git a/www-servers/apache/apache-2.4.38-r1.ebuild b/www-servers/apache/apache-2.4.38-r1.ebuild
deleted file mode 100644
index 64fa99892b9..00000000000
--- a/www-servers/apache/apache-2.4.38-r1.ebuild
+++ /dev/null
@@ -1,257 +0,0 @@
-# Copyright 1999-2019 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI=6
-
-# latest gentoo apache files
-GENTOO_PATCHSTAMP="20190226"
-GENTOO_DEVELOPER="polynomial-c"
-GENTOO_PATCHNAME="gentoo-apache-2.4.38"
-
-# IUSE/USE_EXPAND magic
-IUSE_MPMS_FORK="prefork"
-IUSE_MPMS_THREAD="event worker"
-
-# << obsolete modules:
-# authn_default authz_default mem_cache
-# mem_cache is replaced by cache_disk
-# ?? buggy modules
-# proxy_scgi: startup error: undefined symbol "ap_proxy_release_connection", no fix found
-# >> added modules for reason:
-# compat: compatibility with 2.2 access control
-# authz_host: new module for access control
-# authn_core: functionality provided by authn_alias in previous versions
-# authz_core: new module, provides core authorization capabilities
-# cache_disk: replacement for mem_cache
-# lbmethod_byrequests: Split off from mod_proxy_balancer in 2.3
-# lbmethod_bytraffic: Split off from mod_proxy_balancer in 2.3
-# lbmethod_bybusyness: Split off from mod_proxy_balancer in 2.3
-# lbmethod_heartbeat: Split off from mod_proxy_balancer in 2.3
-# slotmem_shm: Slot-based shared memory provider (for lbmethod_byrequests).
-# socache_shmcb: shared object cache provider. Default config with ssl needs it
-# unixd: fixes startup error: Invalid command 'User'
-IUSE_MODULES="access_compat actions alias asis auth_basic auth_digest
-authn_alias authn_anon authn_core authn_dbd authn_dbm authn_file authz_core
-authz_dbd authz_dbm authz_groupfile authz_host authz_owner authz_user autoindex
-brotli cache cache_disk cache_socache cern_meta charset_lite cgi cgid dav dav_fs dav_lock
-dbd deflate dir dumpio env expires ext_filter file_cache filter headers http2
-ident imagemap include info lbmethod_byrequests lbmethod_bytraffic lbmethod_bybusyness
-lbmethod_heartbeat log_config log_forensic logio macro md mime mime_magic negotiation
-proxy proxy_ajp proxy_balancer proxy_connect proxy_ftp proxy_html proxy_http proxy_scgi
-proxy_http2 proxy_fcgi  proxy_wstunnel rewrite ratelimit remoteip reqtimeout setenvif
-slotmem_shm speling socache_shmcb status substitute unique_id userdir usertrack
-unixd version vhost_alias watchdog xml2enc"
-# The following are also in the source as of this version, but are not available
-# for user selection:
-# bucketeer case_filter case_filter_in echo http isapi optional_fn_export
-# optional_fn_import optional_hook_export optional_hook_import
-
-# inter-module dependencies
-# TODO: this may still be incomplete
-MODULE_DEPENDS="
-	brotli:filter
-	dav_fs:dav
-	dav_lock:dav
-	deflate:filter
-	cache_disk:cache
-	ext_filter:filter
-	file_cache:cache
-	lbmethod_byrequests:proxy_balancer
-	lbmethod_byrequests:slotmem_shm
-	lbmethod_bytraffic:proxy_balancer
-	lbmethod_bybusyness:proxy_balancer
-	lbmethod_heartbeat:proxy_balancer
-	log_forensic:log_config
-	logio:log_config
-	cache_disk:cache
-	cache_socache:cache
-	md:watchdog
-	mime_magic:mime
-	proxy_ajp:proxy
-	proxy_balancer:proxy
-	proxy_balancer:slotmem_shm
-	proxy_connect:proxy
-	proxy_ftp:proxy
-	proxy_html:proxy
-	proxy_html:xml2enc
-	proxy_http:proxy
-	proxy_scgi:proxy
-	proxy_fcgi:proxy
-	proxy_wstunnel:proxy
-	substitute:filter
-"
-
-# module<->define mappings
-MODULE_DEFINES="
-	auth_digest:AUTH_DIGEST
-	authnz_ldap:AUTHNZ_LDAP
-	cache:CACHE
-	cache_disk:CACHE
-	cache_socache:CACHE
-	dav:DAV
-	dav_fs:DAV
-	dav_lock:DAV
-	file_cache:CACHE
-	http2:HTTP2
-	info:INFO
-	ldap:LDAP
-	md:SSL
-	proxy:PROXY
-	proxy_ajp:PROXY
-	proxy_balancer:PROXY
-	proxy_connect:PROXY
-	proxy_ftp:PROXY
-	proxy_html:PROXY
-	proxy_http:PROXY
-	proxy_fcgi:PROXY
-	proxy_scgi:PROXY
-	proxy_wstunnel:PROXY
-	socache_shmcb:SSL
-	ssl:SSL
-	status:STATUS
-	suexec:SUEXEC
-	userdir:USERDIR
-"
-
-# critical modules for the default config
-MODULE_CRITICAL="
-	authn_core
-	authz_core
-	authz_host
-	dir
-	mime
-	unixd
-"
-inherit apache-2 systemd tmpfiles toolchain-funcs
-
-DESCRIPTION="The Apache Web Server"
-HOMEPAGE="https://httpd.apache.org/"
-
-# some helper scripts are Apache-1.1, thus both are here
-LICENSE="Apache-2.0 Apache-1.1"
-SLOT="2"
-KEYWORDS="alpha amd64 arm ~arm64 hppa ia64 ~mips ppc ppc64 ~s390 ~sh sparc x86 ~amd64-linux ~x64-macos ~x86-macos ~m68k-mint ~sparc64-solaris ~x64-solaris"
-
-# Enable http2 by default (bug #563452)
-# FIXME: Move to apache-2.eclass once this has reached stable.
-IUSE="${IUSE/apache2_modules_http2/+apache2_modules_http2}"
-# New suexec options (since 2.4.34)
-IUSE="${IUSE} +suexec-caps suexec-syslog"
-
-CDEPEND="apache2_modules_brotli? ( >=app-arch/brotli-0.6.0:= )
-	apache2_modules_http2? ( >=net-libs/nghttp2-1.2.1 )
-	apache2_modules_md? ( >=dev-libs/jansson-2.10 )"
-
-DEPEND+="${CDEPEND}
-	suexec? ( suexec-caps? ( sys-libs/libcap ) )"
-RDEPEND+="${CDEPEND}"
-
-REQUIRED_USE="apache2_modules_http2? ( ssl )
-	apache2_modules_md? ( ssl )"
-
-pkg_setup() {
-	# dependend critical modules which are not allowed in global scope due
-	# to USE flag conditionals (bug #499260)
-	use ssl && MODULE_CRITICAL+=" socache_shmcb"
-	use doc && MODULE_CRITICAL+=" alias negotiation setenvif"
-	apache-2_pkg_setup
-}
-
-src_configure() {
-	# Brain dead check.
-	tc-is-cross-compiler && export ap_cv_void_ptr_lt_long="no"
-
-	apache-2_src_configure
-}
-
-src_compile() {
-	if tc-is-cross-compiler; then
-		# This header is the same across targets, so use the build compiler.
-		pushd server >/dev/null
-		emake gen_test_char
-		tc-export_build_env BUILD_CC
-		${BUILD_CC} ${BUILD_CFLAGS} ${BUILD_CPPFLAGS} ${BUILD_LDFLAGS} \
-			gen_test_char.c -o gen_test_char $(apr-1-config --includes) || die
-		popd >/dev/null
-	fi
-
-	default
-}
-
-src_install() {
-	apache-2_src_install
-	local i
-	local apache_tools_prune_list=(
-		/usr/bin/{htdigest,logresolve,htpasswd,htdbm,ab,httxt2dbm}
-		/usr/sbin/{checkgid,fcgistarter,htcacheclean,rotatelogs}
-		/usr/share/man/man1/{logresolve.1,htdbm.1,htdigest.1,htpasswd.1,dbmmanage.1,ab.1}
-		/usr/share/man/man8/{rotatelogs.8,htcacheclean.8}
-	)
-	for i in ${apache_tools_prune_list[@]} ; do
-		rm "${ED%/}"/${i} || die "Failed to prune apache-tools bits"
-	done
-
-	# install apxs in /usr/bin (bug #502384) and put a symlink into the
-	# old location until all ebuilds and eclasses have been modified to
-	# use the new location.
-	dobin support/apxs
-	dosym ../bin/apxs /usr/sbin/apxs
-
-	# Note: wait for mod_systemd to be included in some forthcoming release,
-	# Then apache2.4.service can be used and systemd support controlled
-	# through --enable-systemd
-	systemd_newunit "${FILESDIR}/apache2.2-hardened.service" "apache2.service"
-	systemd_dotmpfilesd "${FILESDIR}/apache.conf"
-	#insinto /etc/apache2/modules.d
-	#doins "${FILESDIR}/00_systemd.conf"
-
-	# Install http2 module config
-	insinto /etc/apache2/modules.d
-	doins "${FILESDIR}"/41_mod_http2.conf
-
-	# Fix path to apache libdir
-	sed "s|@LIBDIR@|$(get_libdir)|" -i "${ED%/}"/usr/sbin/apache2ctl || die
-}
-
-pkg_postinst() {
-	apache-2_pkg_postinst || die "apache-2_pkg_postinst failed"
-
-	tmpfiles_process apache.conf #662544
-
-	# warnings that default config might not work out of the box
-	local mod cmod
-	for mod in ${MODULE_CRITICAL} ; do
-		if ! use "apache2_modules_${mod}"; then
-			echo
-			ewarn "Warning: Critical module not installed!"
-			ewarn "Modules 'authn_core', 'authz_core' and 'unixd'"
-			ewarn "are highly recomended but might not be in the base profile yet."
-			ewarn "Default config for ssl needs module 'socache_shmcb'."
-			ewarn "Enabling the following flags is highly recommended:"
-			for cmod in ${MODULE_CRITICAL} ; do
-				use "apache2_modules_${cmod}" || \
-					ewarn "+ apache2_modules_${cmod}"
-			done
-			echo
-			break
-		fi
-	done
-	# warning for proxy_balancer and missing load balancing scheduler
-	if use apache2_modules_proxy_balancer; then
-		local lbset=
-		for mod in lbmethod_byrequests lbmethod_bytraffic lbmethod_bybusyness lbmethod_heartbeat; do
-			if use "apache2_modules_${mod}"; then
-				lbset=1 && break
-			fi
-		done
-		if [ ! ${lbset} ] ; then
-			echo
-			ewarn "Info: Missing load balancing scheduler algorithm module"
-			ewarn "(They were split off from proxy_balancer in 2.3)"
-			ewarn "In order to get the ability of load balancing, at least"
-			ewarn "one of these modules has to be present:"
-			ewarn "lbmethod_byrequests lbmethod_bytraffic lbmethod_bybusyness lbmethod_heartbeat"
-			echo
-		fi
-	fi
-}

diff --git a/www-servers/apache/files/apache-2.4.34-PR62557.patch b/www-servers/apache/files/apache-2.4.34-PR62557.patch
deleted file mode 100644
index d95a9864d1b..00000000000
--- a/www-servers/apache/files/apache-2.4.34-PR62557.patch
+++ /dev/null
@@ -1,216 +0,0 @@
-From d7713339dbde7cfa4cfc9914f683b4644dcab92e Mon Sep 17 00:00:00 2001
-From: Ruediger Pluem <rpluem@apache.org>
-Date: Fri, 20 Jul 2018 19:27:31 +0000
-Subject: [PATCH] * mod_proxy: Remove load order and link dependency between
- mod_lbmethod_*   modules and mod_proxy by providing mod_proxy's
- ap_proxy_balancer_get_best_worker   as an optional function.
-
-PR: 62557
-
-
-git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1836381 13f79535-47bb-0310-9956-ffa450edef68
----
- CHANGES                                           |  3 +++
- include/ap_mmn.h                                  |  5 +++-
- modules/proxy/balancers/mod_lbmethod_bybusyness.c | 28 ++++++++++++++++++++++-
- modules/proxy/balancers/mod_lbmethod_byrequests.c | 28 ++++++++++++++++++++++-
- modules/proxy/balancers/mod_lbmethod_bytraffic.c  | 28 ++++++++++++++++++++++-
- modules/proxy/mod_proxy.h                         |  8 +++++++
- modules/proxy/proxy_util.c                        |  1 +
- 7 files changed, 97 insertions(+), 4 deletions(-)
-
---- apache2.orig/modules/proxy/balancers/mod_lbmethod_bybusyness.c
-+++ apache2/modules/proxy/balancers/mod_lbmethod_bybusyness.c
-@@ -22,6 +22,9 @@
- 
- module AP_MODULE_DECLARE_DATA lbmethod_bybusyness_module;
- 
-+static APR_OPTIONAL_FN_TYPE(ap_proxy_balancer_get_best_worker)
-+                            *ap_proxy_balancer_get_best_worker_fn = NULL;
-+
- static int is_best_bybusyness(proxy_worker *current, proxy_worker *prev_best, void *baton)
- {
-     int *total_factor = (int *)baton;
-@@ -44,7 +47,7 @@ static proxy_worker *find_best_bybusynes
- {
-     int total_factor = 0;
-     proxy_worker *worker =
--        ap_proxy_balancer_get_best_worker(balancer, r, is_best_bybusyness,
-+        ap_proxy_balancer_get_best_worker_fn(balancer, r, is_best_bybusyness,
-                                           &total_factor);
- 
-     if (worker) {
-@@ -82,9 +85,32 @@ static const proxy_balancer_method bybus
-     NULL
- };
- 
-+/* post_config hook: */
-+static int lbmethod_bybusyness_post_config(apr_pool_t *pconf, apr_pool_t *plog,
-+        apr_pool_t *ptemp, server_rec *s)
-+{
-+
-+    /* lbmethod_bybusyness_post_config() will be called twice during startup.  So, don't
-+     * set up the static data the 1st time through. */
-+    if (ap_state_query(AP_SQ_MAIN_STATE) == AP_SQ_MS_CREATE_PRE_CONFIG) {
-+        return OK;
-+    }
-+
-+    ap_proxy_balancer_get_best_worker_fn =
-+                 APR_RETRIEVE_OPTIONAL_FN(ap_proxy_balancer_get_best_worker);
-+    if (!ap_proxy_balancer_get_best_worker_fn) {
-+        ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO()
-+                     "mod_proxy must be loaded for mod_lbmethod_bybusyness");
-+        return !OK;
-+    }
-+
-+    return OK;
-+}
-+
- static void register_hook(apr_pool_t *p)
- {
-     ap_register_provider(p, PROXY_LBMETHOD, "bybusyness", "0", &bybusyness);
-+    ap_hook_post_config(lbmethod_bybusyness_post_config, NULL, NULL, APR_HOOK_MIDDLE);
- }
- 
- AP_DECLARE_MODULE(lbmethod_bybusyness) = {
---- apache2.orig/modules/proxy/balancers/mod_lbmethod_byrequests.c
-+++ apache2/modules/proxy/balancers/mod_lbmethod_byrequests.c
-@@ -22,6 +22,9 @@
- 
- module AP_MODULE_DECLARE_DATA lbmethod_byrequests_module;
- 
-+static APR_OPTIONAL_FN_TYPE(ap_proxy_balancer_get_best_worker)
-+                            *ap_proxy_balancer_get_best_worker_fn = NULL;
-+
- static int is_best_byrequests(proxy_worker *current, proxy_worker *prev_best, void *baton)
- {
-     int *total_factor = (int *)baton;
-@@ -81,7 +84,7 @@ static proxy_worker *find_best_byrequest
-                                 request_rec *r)
- {
-     int total_factor = 0;
--    proxy_worker *worker = ap_proxy_balancer_get_best_worker(balancer, r, is_best_byrequests, &total_factor);
-+    proxy_worker *worker = ap_proxy_balancer_get_best_worker_fn(balancer, r, is_best_byrequests, &total_factor);
- 
-     if (worker) {
-         worker->s->lbstatus -= total_factor;
-@@ -123,6 +126,28 @@ static const proxy_balancer_method byreq
-     NULL
- };
- 
-+/* post_config hook: */
-+static int lbmethod_byrequests_post_config(apr_pool_t *pconf, apr_pool_t *plog,
-+        apr_pool_t *ptemp, server_rec *s)
-+{
-+
-+    /* lbmethod_byrequests_post_config() will be called twice during startup.  So, don't
-+     * set up the static data the 1st time through. */
-+    if (ap_state_query(AP_SQ_MAIN_STATE) == AP_SQ_MS_CREATE_PRE_CONFIG) {
-+        return OK;
-+    }
-+
-+    ap_proxy_balancer_get_best_worker_fn =
-+                 APR_RETRIEVE_OPTIONAL_FN(ap_proxy_balancer_get_best_worker);
-+    if (!ap_proxy_balancer_get_best_worker_fn) {
-+        ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO()
-+                     "mod_proxy must be loaded for mod_lbmethod_byrequests");
-+        return !OK;
-+    }
-+
-+    return OK;
-+}
-+
- static void register_hook(apr_pool_t *p)
- {
-     /* Only the mpm_winnt has child init hook handler.
-@@ -130,6 +155,7 @@ static void register_hook(apr_pool_t *p)
-      * initializes and after the mod_proxy
-      */
-     ap_register_provider(p, PROXY_LBMETHOD, "byrequests", "0", &byrequests);
-+    ap_hook_post_config(lbmethod_byrequests_post_config, NULL, NULL, APR_HOOK_MIDDLE);
- }
- 
- AP_DECLARE_MODULE(lbmethod_byrequests) = {
---- apache2.orig/modules/proxy/balancers/mod_lbmethod_bytraffic.c
-+++ apache2/modules/proxy/balancers/mod_lbmethod_bytraffic.c
-@@ -22,6 +22,9 @@
- 
- module AP_MODULE_DECLARE_DATA lbmethod_bytraffic_module;
- 
-+static APR_OPTIONAL_FN_TYPE(ap_proxy_balancer_get_best_worker)
-+                            *ap_proxy_balancer_get_best_worker_fn = NULL;
-+
- static int is_best_bytraffic(proxy_worker *current, proxy_worker *prev_best, void *baton)
- {
-     apr_off_t *min_traffic = (apr_off_t *)baton;
-@@ -59,7 +62,7 @@ static proxy_worker *find_best_bytraffic
- {
-     apr_off_t min_traffic = 0;
- 
--    return ap_proxy_balancer_get_best_worker(balancer, r, is_best_bytraffic,
-+    return ap_proxy_balancer_get_best_worker_fn(balancer, r, is_best_bytraffic,
-                                              &min_traffic);
- }
- 
-@@ -93,6 +96,28 @@ static const proxy_balancer_method bytra
-     NULL
- };
- 
-+/* post_config hook: */
-+static int lbmethod_bytraffic_post_config(apr_pool_t *pconf, apr_pool_t *plog,
-+        apr_pool_t *ptemp, server_rec *s)
-+{
-+
-+    /* lbmethod_bytraffic_post_config() will be called twice during startup.  So, don't
-+     * set up the static data the 1st time through. */
-+    if (ap_state_query(AP_SQ_MAIN_STATE) == AP_SQ_MS_CREATE_PRE_CONFIG) {
-+        return OK;
-+    }
-+
-+    ap_proxy_balancer_get_best_worker_fn =
-+                 APR_RETRIEVE_OPTIONAL_FN(ap_proxy_balancer_get_best_worker);
-+    if (!ap_proxy_balancer_get_best_worker_fn) {
-+        ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO()
-+                     "mod_proxy must be loaded for mod_lbmethod_bytraffic");
-+        return !OK;
-+    }
-+
-+    return OK;
-+}
-+
- static void register_hook(apr_pool_t *p)
- {
-     /* Only the mpm_winnt has child init hook handler.
-@@ -100,6 +125,7 @@ static void register_hook(apr_pool_t *p)
-      * initializes and after the mod_proxy
-      */
-     ap_register_provider(p, PROXY_LBMETHOD, "bytraffic", "0", &bytraffic);
-+    ap_hook_post_config(lbmethod_bytraffic_post_config, NULL, NULL, APR_HOOK_MIDDLE);
- }
- 
- AP_DECLARE_MODULE(lbmethod_bytraffic) = {
---- apache2.orig/modules/proxy/mod_proxy.h
-+++ apache2/modules/proxy/mod_proxy.h
-@@ -846,6 +846,14 @@ PROXY_DECLARE(proxy_worker *) ap_proxy_b
-                                                                 request_rec *r,
-                                                                 proxy_is_best_callback_fn_t *is_best,
-                                                                 void *baton);
-+/*
-+ * Needed by the lb modules.
-+ */
-+APR_DECLARE_OPTIONAL_FN(proxy_worker *, ap_proxy_balancer_get_best_worker,
-+                                        (proxy_balancer *balancer,
-+                                         request_rec *r,
-+                                         proxy_is_best_callback_fn_t *is_best,
-+                                         void *baton));
- 
- /**
-  * Find the shm of the worker as needed
---- apache2.orig/modules/proxy/proxy_util.c
-+++ apache2/modules/proxy/proxy_util.c
-@@ -4028,4 +4028,5 @@ void proxy_util_register_hooks(apr_pool_
- {
-     APR_REGISTER_OPTIONAL_FN(ap_proxy_retry_worker);
-     APR_REGISTER_OPTIONAL_FN(ap_proxy_clear_connection);
-+    APR_REGISTER_OPTIONAL_FN(ap_proxy_balancer_get_best_worker);
- }

diff --git a/www-servers/apache/files/apache-2.4.34-suexec_parallel_install.patch b/www-servers/apache/files/apache-2.4.34-suexec_parallel_install.patch
deleted file mode 100644
index d5543f7004b..00000000000
--- a/www-servers/apache/files/apache-2.4.34-suexec_parallel_install.patch
+++ /dev/null
@@ -1,19 +0,0 @@
-https://bugs.gentoo.org/661358
-
---- httpd-2.4.34/Makefile.in
-+++ httpd-2.4.34/Makefile.in
-@@ -277,12 +277,12 @@
-             $(INSTALL_PROGRAM) $(top_builddir)/support/suexec $(DESTDIR)$(sbindir); \
- 	fi
- 
--install-suexec-setuid:
-+install-suexec-setuid: install-suexec-binary
- 	@if test -f $(builddir)/support/suexec; then \
- 	    chmod 4755 $(DESTDIR)$(sbindir)/suexec; \
- 	fi
- 
--install-suexec-caps:
-+install-suexec-caps: install-suexec-binary
- 	@if test -f $(builddir)/support/suexec; then \
-             setcap 'cap_setuid,cap_setgid+pe' $(DESTDIR)$(sbindir)/suexec; \
- 	fi


^ permalink raw reply related	[flat|nested] 15+ messages in thread
* [gentoo-commits] repo/gentoo:master commit in: www-servers/apache/, www-servers/apache/files/
@ 2018-08-24  0:56 Thomas Deutschmann
  0 siblings, 0 replies; 15+ messages in thread
From: Thomas Deutschmann @ 2018-08-24  0:56 UTC (permalink / raw
  To: gentoo-commits

commit:     f3fdd0e0b70833ffebc5a45732a48eb6a359fce5
Author:     Thomas Deutschmann <whissi <AT> gentoo <DOT> org>
AuthorDate: Fri Aug 24 00:55:44 2018 +0000
Commit:     Thomas Deutschmann <whissi <AT> gentoo <DOT> org>
CommitDate: Fri Aug 24 00:55:44 2018 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f3fdd0e0

www-servers/apache: fix the issue with lbmethod_* load order

Closes: https://bugs.gentoo.org/663312
Package-Manager: Portage-2.3.48, Repoman-2.3.10
RepoMan-Options: --force

 ...he-2.4.34-r1.ebuild => apache-2.4.34-r2.ebuild} |   1 +
 .../apache/files/apache-2.4.34-PR62557.patch       | 216 +++++++++++++++++++++
 2 files changed, 217 insertions(+)

diff --git a/www-servers/apache/apache-2.4.34-r1.ebuild b/www-servers/apache/apache-2.4.34-r2.ebuild
similarity index 99%
rename from www-servers/apache/apache-2.4.34-r1.ebuild
rename to www-servers/apache/apache-2.4.34-r2.ebuild
index d9a72b6f05c..db0368ea9f7 100644
--- a/www-servers/apache/apache-2.4.34-r1.ebuild
+++ b/www-servers/apache/apache-2.4.34-r2.ebuild
@@ -151,6 +151,7 @@ REQUIRED_USE="apache2_modules_http2? ( ssl )
 
 PATCHES=(
 	"${FILESDIR}/${PN}-2.4.34-suexec_parallel_install.patch" #661358
+	"${FILESDIR}"/${P}-PR62557.patch #663312
 )
 
 pkg_setup() {

diff --git a/www-servers/apache/files/apache-2.4.34-PR62557.patch b/www-servers/apache/files/apache-2.4.34-PR62557.patch
new file mode 100644
index 00000000000..d95a9864d1b
--- /dev/null
+++ b/www-servers/apache/files/apache-2.4.34-PR62557.patch
@@ -0,0 +1,216 @@
+From d7713339dbde7cfa4cfc9914f683b4644dcab92e Mon Sep 17 00:00:00 2001
+From: Ruediger Pluem <rpluem@apache.org>
+Date: Fri, 20 Jul 2018 19:27:31 +0000
+Subject: [PATCH] * mod_proxy: Remove load order and link dependency between
+ mod_lbmethod_*   modules and mod_proxy by providing mod_proxy's
+ ap_proxy_balancer_get_best_worker   as an optional function.
+
+PR: 62557
+
+
+git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1836381 13f79535-47bb-0310-9956-ffa450edef68
+---
+ CHANGES                                           |  3 +++
+ include/ap_mmn.h                                  |  5 +++-
+ modules/proxy/balancers/mod_lbmethod_bybusyness.c | 28 ++++++++++++++++++++++-
+ modules/proxy/balancers/mod_lbmethod_byrequests.c | 28 ++++++++++++++++++++++-
+ modules/proxy/balancers/mod_lbmethod_bytraffic.c  | 28 ++++++++++++++++++++++-
+ modules/proxy/mod_proxy.h                         |  8 +++++++
+ modules/proxy/proxy_util.c                        |  1 +
+ 7 files changed, 97 insertions(+), 4 deletions(-)
+
+--- apache2.orig/modules/proxy/balancers/mod_lbmethod_bybusyness.c
++++ apache2/modules/proxy/balancers/mod_lbmethod_bybusyness.c
+@@ -22,6 +22,9 @@
+ 
+ module AP_MODULE_DECLARE_DATA lbmethod_bybusyness_module;
+ 
++static APR_OPTIONAL_FN_TYPE(ap_proxy_balancer_get_best_worker)
++                            *ap_proxy_balancer_get_best_worker_fn = NULL;
++
+ static int is_best_bybusyness(proxy_worker *current, proxy_worker *prev_best, void *baton)
+ {
+     int *total_factor = (int *)baton;
+@@ -44,7 +47,7 @@ static proxy_worker *find_best_bybusynes
+ {
+     int total_factor = 0;
+     proxy_worker *worker =
+-        ap_proxy_balancer_get_best_worker(balancer, r, is_best_bybusyness,
++        ap_proxy_balancer_get_best_worker_fn(balancer, r, is_best_bybusyness,
+                                           &total_factor);
+ 
+     if (worker) {
+@@ -82,9 +85,32 @@ static const proxy_balancer_method bybus
+     NULL
+ };
+ 
++/* post_config hook: */
++static int lbmethod_bybusyness_post_config(apr_pool_t *pconf, apr_pool_t *plog,
++        apr_pool_t *ptemp, server_rec *s)
++{
++
++    /* lbmethod_bybusyness_post_config() will be called twice during startup.  So, don't
++     * set up the static data the 1st time through. */
++    if (ap_state_query(AP_SQ_MAIN_STATE) == AP_SQ_MS_CREATE_PRE_CONFIG) {
++        return OK;
++    }
++
++    ap_proxy_balancer_get_best_worker_fn =
++                 APR_RETRIEVE_OPTIONAL_FN(ap_proxy_balancer_get_best_worker);
++    if (!ap_proxy_balancer_get_best_worker_fn) {
++        ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO()
++                     "mod_proxy must be loaded for mod_lbmethod_bybusyness");
++        return !OK;
++    }
++
++    return OK;
++}
++
+ static void register_hook(apr_pool_t *p)
+ {
+     ap_register_provider(p, PROXY_LBMETHOD, "bybusyness", "0", &bybusyness);
++    ap_hook_post_config(lbmethod_bybusyness_post_config, NULL, NULL, APR_HOOK_MIDDLE);
+ }
+ 
+ AP_DECLARE_MODULE(lbmethod_bybusyness) = {
+--- apache2.orig/modules/proxy/balancers/mod_lbmethod_byrequests.c
++++ apache2/modules/proxy/balancers/mod_lbmethod_byrequests.c
+@@ -22,6 +22,9 @@
+ 
+ module AP_MODULE_DECLARE_DATA lbmethod_byrequests_module;
+ 
++static APR_OPTIONAL_FN_TYPE(ap_proxy_balancer_get_best_worker)
++                            *ap_proxy_balancer_get_best_worker_fn = NULL;
++
+ static int is_best_byrequests(proxy_worker *current, proxy_worker *prev_best, void *baton)
+ {
+     int *total_factor = (int *)baton;
+@@ -81,7 +84,7 @@ static proxy_worker *find_best_byrequest
+                                 request_rec *r)
+ {
+     int total_factor = 0;
+-    proxy_worker *worker = ap_proxy_balancer_get_best_worker(balancer, r, is_best_byrequests, &total_factor);
++    proxy_worker *worker = ap_proxy_balancer_get_best_worker_fn(balancer, r, is_best_byrequests, &total_factor);
+ 
+     if (worker) {
+         worker->s->lbstatus -= total_factor;
+@@ -123,6 +126,28 @@ static const proxy_balancer_method byreq
+     NULL
+ };
+ 
++/* post_config hook: */
++static int lbmethod_byrequests_post_config(apr_pool_t *pconf, apr_pool_t *plog,
++        apr_pool_t *ptemp, server_rec *s)
++{
++
++    /* lbmethod_byrequests_post_config() will be called twice during startup.  So, don't
++     * set up the static data the 1st time through. */
++    if (ap_state_query(AP_SQ_MAIN_STATE) == AP_SQ_MS_CREATE_PRE_CONFIG) {
++        return OK;
++    }
++
++    ap_proxy_balancer_get_best_worker_fn =
++                 APR_RETRIEVE_OPTIONAL_FN(ap_proxy_balancer_get_best_worker);
++    if (!ap_proxy_balancer_get_best_worker_fn) {
++        ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO()
++                     "mod_proxy must be loaded for mod_lbmethod_byrequests");
++        return !OK;
++    }
++
++    return OK;
++}
++
+ static void register_hook(apr_pool_t *p)
+ {
+     /* Only the mpm_winnt has child init hook handler.
+@@ -130,6 +155,7 @@ static void register_hook(apr_pool_t *p)
+      * initializes and after the mod_proxy
+      */
+     ap_register_provider(p, PROXY_LBMETHOD, "byrequests", "0", &byrequests);
++    ap_hook_post_config(lbmethod_byrequests_post_config, NULL, NULL, APR_HOOK_MIDDLE);
+ }
+ 
+ AP_DECLARE_MODULE(lbmethod_byrequests) = {
+--- apache2.orig/modules/proxy/balancers/mod_lbmethod_bytraffic.c
++++ apache2/modules/proxy/balancers/mod_lbmethod_bytraffic.c
+@@ -22,6 +22,9 @@
+ 
+ module AP_MODULE_DECLARE_DATA lbmethod_bytraffic_module;
+ 
++static APR_OPTIONAL_FN_TYPE(ap_proxy_balancer_get_best_worker)
++                            *ap_proxy_balancer_get_best_worker_fn = NULL;
++
+ static int is_best_bytraffic(proxy_worker *current, proxy_worker *prev_best, void *baton)
+ {
+     apr_off_t *min_traffic = (apr_off_t *)baton;
+@@ -59,7 +62,7 @@ static proxy_worker *find_best_bytraffic
+ {
+     apr_off_t min_traffic = 0;
+ 
+-    return ap_proxy_balancer_get_best_worker(balancer, r, is_best_bytraffic,
++    return ap_proxy_balancer_get_best_worker_fn(balancer, r, is_best_bytraffic,
+                                              &min_traffic);
+ }
+ 
+@@ -93,6 +96,28 @@ static const proxy_balancer_method bytra
+     NULL
+ };
+ 
++/* post_config hook: */
++static int lbmethod_bytraffic_post_config(apr_pool_t *pconf, apr_pool_t *plog,
++        apr_pool_t *ptemp, server_rec *s)
++{
++
++    /* lbmethod_bytraffic_post_config() will be called twice during startup.  So, don't
++     * set up the static data the 1st time through. */
++    if (ap_state_query(AP_SQ_MAIN_STATE) == AP_SQ_MS_CREATE_PRE_CONFIG) {
++        return OK;
++    }
++
++    ap_proxy_balancer_get_best_worker_fn =
++                 APR_RETRIEVE_OPTIONAL_FN(ap_proxy_balancer_get_best_worker);
++    if (!ap_proxy_balancer_get_best_worker_fn) {
++        ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO()
++                     "mod_proxy must be loaded for mod_lbmethod_bytraffic");
++        return !OK;
++    }
++
++    return OK;
++}
++
+ static void register_hook(apr_pool_t *p)
+ {
+     /* Only the mpm_winnt has child init hook handler.
+@@ -100,6 +125,7 @@ static void register_hook(apr_pool_t *p)
+      * initializes and after the mod_proxy
+      */
+     ap_register_provider(p, PROXY_LBMETHOD, "bytraffic", "0", &bytraffic);
++    ap_hook_post_config(lbmethod_bytraffic_post_config, NULL, NULL, APR_HOOK_MIDDLE);
+ }
+ 
+ AP_DECLARE_MODULE(lbmethod_bytraffic) = {
+--- apache2.orig/modules/proxy/mod_proxy.h
++++ apache2/modules/proxy/mod_proxy.h
+@@ -846,6 +846,14 @@ PROXY_DECLARE(proxy_worker *) ap_proxy_b
+                                                                 request_rec *r,
+                                                                 proxy_is_best_callback_fn_t *is_best,
+                                                                 void *baton);
++/*
++ * Needed by the lb modules.
++ */
++APR_DECLARE_OPTIONAL_FN(proxy_worker *, ap_proxy_balancer_get_best_worker,
++                                        (proxy_balancer *balancer,
++                                         request_rec *r,
++                                         proxy_is_best_callback_fn_t *is_best,
++                                         void *baton));
+ 
+ /**
+  * Find the shm of the worker as needed
+--- apache2.orig/modules/proxy/proxy_util.c
++++ apache2/modules/proxy/proxy_util.c
+@@ -4028,4 +4028,5 @@ void proxy_util_register_hooks(apr_pool_
+ {
+     APR_REGISTER_OPTIONAL_FN(ap_proxy_retry_worker);
+     APR_REGISTER_OPTIONAL_FN(ap_proxy_clear_connection);
++    APR_REGISTER_OPTIONAL_FN(ap_proxy_balancer_get_best_worker);
+ }


^ permalink raw reply related	[flat|nested] 15+ messages in thread
* [gentoo-commits] repo/gentoo:master commit in: www-servers/apache/, www-servers/apache/files/
@ 2018-03-26 17:47 Lars Wendler
  0 siblings, 0 replies; 15+ messages in thread
From: Lars Wendler @ 2018-03-26 17:47 UTC (permalink / raw
  To: gentoo-commits

commit:     79c6b4e2b7afadede4ed93a52be4f3cb9c907c08
Author:     Lars Wendler <polynomial-c <AT> gentoo <DOT> org>
AuthorDate: Mon Mar 26 17:43:48 2018 +0000
Commit:     Lars Wendler <polynomial-c <AT> gentoo <DOT> org>
CommitDate: Mon Mar 26 17:47:07 2018 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=79c6b4e2

Revert "www-servers/apache: Bye bye apache-2.2"

This reverts commit 551a46a19cefaf4502e7f80823fe4cae7a56cdac.

 www-servers/apache/Manifest                |   2 +
 www-servers/apache/apache-2.2.34.ebuild    | 114 +++++++++++++++++++++++++++++
 www-servers/apache/files/apache2.2.service |  19 +++++
 3 files changed, 135 insertions(+)

diff --git a/www-servers/apache/Manifest b/www-servers/apache/Manifest
index 2c8bcbc430a..93c910dd717 100644
--- a/www-servers/apache/Manifest
+++ b/www-servers/apache/Manifest
@@ -1,6 +1,8 @@
+DIST gentoo-apache-2.2.34-20170918.tar.bz2 64390 BLAKE2B d3f6d85192706d7c49a38cc36e816b3ae531f8c0d42111c33ec32ed39900d36d8a2a85a5d1b5afca22331137f04fb24fb424a42a21caa7eb4f6906fa39cb8224 SHA512 10b42e50dcc196f60bcaefe90c382d62a61339dd8a56e899d6afb6998be4acdd376e2c3509791f22a0acf99d06add497e32703b6d523f640306a6db5e05f358a
 DIST gentoo-apache-2.4.18-r1-20160303.tar.bz2 24505 BLAKE2B 504deabe5ee9e2b32f44e8ea6cde6f01e7f26643ca05eb0aaf860ab6440d821566f83b5c9aacb2201382f9326974c7dddea4f4289d9da5857762611f424f0395 SHA512 68f0c4de38ae05c45839fe692cbb7de641e331ca133b8aaaf69f3659dec15833cda95e6e074edb3a5b6b6d59b3fc5a4ee3589fff810707fe27417a25cd8a4c4d
 DIST gentoo-apache-2.4.27-20170918.tar.bz2 24850 BLAKE2B a832c2c7a575e167b72214f325cb85922c49969ea8cc4b5821ce97b1d4028ab56852bf416cb32c99f2b2b356545b6fea0af0fa4f6e13bf001393b468357cbcfb SHA512 c58a9a0b171188ff163f6b45c47f243797d4050cf461ba1a642115350285879005be6496cee2031bffaccc0d8beda4c27de87afa2ded17cbe559f792eb7c00e8
 DIST gentoo-apache-2.4.33-20180323.tar.bz2 24804 BLAKE2B 42636b36a917d59a016c1143014292d1d34080f295dbfff54c39b82898f37cf280a0a812c70ebc3544dd93c609a62f098816275f0dea0b94ac4b0fdcabb77c9c SHA512 54bc375908eed2c5f590e4d24eae01b502b366425ddec36113874267a0186f0ee815659f6ed92f91455dfefc16d6a486356694c762fcbe19aed01f8db8da01f7
+DIST httpd-2.2.34.tar.bz2 5779739 BLAKE2B 8cdd41fb5d1880da4a1cfef252b4682f613b938594057ea4c9665d3881a50b298fb7339c1ceb3dafc215aa927048f99d500f2d29c125016d5766954be9b632b4 SHA512 e6dac5865a48533c025fe17523ee74d68c3a23f9512c9441b78a140e33cfb6835573eb049b0ad424eb5c5ca78a1915778c54e8a409da95fbdd3890cb99e08240
 DIST httpd-2.4.27.tar.bz2 6527394 BLAKE2B 50a650eb2edd121dac860ff555273290010d7e85bf4d5fbe3683f82e1928dde99ebfabc42186436f5052a66555a73d8b797b114c76c123faa31b9f51575d0bbb SHA512 7e7e8070715b74cb6890096a74e194f4c6a49c14bda685b1ad832e84312f1ac4316ea03a430e679502bfd8e1853aefa544ee002a20d0f7e994b9a590c74bc42c
 DIST httpd-2.4.29.tar.bz2 6567926 BLAKE2B 01a83212941abad548f73fc144f9731ff51e0ed8f975e76cb994247601f7c2f89a3f862e011638afb77988eda0ef2b543634fb6bc45b583e9bdba2c30e565731 SHA512 840982fd3d21463bc5c1747f211dfacf3abdf634d149e49bb49fd2e5deda140de602dbdf31e1bbe5337a48f718ab2261c408e83a8dd39a9291ee7b6b7a85639a
 DIST httpd-2.4.33.tar.bz2 6934765 BLAKE2B 4ff266b85358e3100c8064c84c89db0235e6f46bb4b308e6b3bf642a9c0815eb6a731ee12e3d8ea2bf31a5d5e6621152452f1e8a9625755689f552f2473b1955 SHA512 e74b2b3346d67be45a8bc8a7cbb8eabf5c403a5cfe5797a976f94a539529843fbcdf03b9ca0548816b2cf37f4ce0eb301f8d5af25b1270fdf8dd9f5bf0585269

diff --git a/www-servers/apache/apache-2.2.34.ebuild b/www-servers/apache/apache-2.2.34.ebuild
new file mode 100644
index 00000000000..e17bfb660c5
--- /dev/null
+++ b/www-servers/apache/apache-2.2.34.ebuild
@@ -0,0 +1,114 @@
+# Copyright 1999-2018 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=5
+
+# latest gentoo apache files
+GENTOO_PATCHSTAMP="20170918"
+GENTOO_DEVELOPER="whissi"
+GENTOO_PATCHNAME="gentoo-apache-2.2.34"
+
+# IUSE/USE_EXPAND magic
+IUSE_MPMS_FORK="itk peruser prefork"
+IUSE_MPMS_THREAD="event worker"
+
+IUSE_MODULES="actions alias asis auth_basic auth_digest authn_alias authn_anon
+authn_dbd authn_dbm authn_default authn_file authz_dbm authz_default
+authz_groupfile authz_host authz_owner authz_user autoindex cache cern_meta
+charset_lite cgi cgid dav dav_fs dav_lock dbd deflate dir disk_cache dumpio
+env expires ext_filter file_cache filter headers ident imagemap include info
+log_config log_forensic logio mem_cache mime mime_magic negotiation proxy
+proxy_ajp proxy_balancer proxy_connect proxy_ftp proxy_http proxy_scgi rewrite
+reqtimeout setenvif speling status substitute unique_id userdir usertrack
+version vhost_alias"
+# The following are also in the source as of this version, but are not available
+# for user selection:
+# bucketeer case_filter case_filter_in echo http isapi optional_fn_export
+# optional_fn_import optional_hook_export optional_hook_import
+
+# inter-module dependencies
+# TODO: this may still be incomplete
+MODULE_DEPENDS="
+	dav_fs:dav
+	dav_lock:dav
+	deflate:filter
+	disk_cache:cache
+	ext_filter:filter
+	file_cache:cache
+	log_forensic:log_config
+	logio:log_config
+	mem_cache:cache
+	mime_magic:mime
+	proxy_ajp:proxy
+	proxy_balancer:proxy
+	proxy_connect:proxy
+	proxy_ftp:proxy
+	proxy_http:proxy
+	proxy_scgi:proxy
+	substitute:filter
+"
+
+# module<->define mappings
+MODULE_DEFINES="
+	auth_digest:AUTH_DIGEST
+	authnz_ldap:AUTHNZ_LDAP
+	cache:CACHE
+	dav:DAV
+	dav_fs:DAV
+	dav_lock:DAV
+	disk_cache:CACHE
+	file_cache:CACHE
+	info:INFO
+	ldap:LDAP
+	mem_cache:CACHE
+	proxy:PROXY
+	proxy_ajp:PROXY
+	proxy_balancer:PROXY
+	proxy_connect:PROXY
+	proxy_ftp:PROXY
+	proxy_http:PROXY
+	ssl:SSL
+	status:STATUS
+	suexec:SUEXEC
+	userdir:USERDIR
+"
+
+# critical modules for the default config
+MODULE_CRITICAL="
+	authz_host
+	dir
+	mime
+"
+
+inherit apache-2 systemd toolchain-funcs
+
+DESCRIPTION="The Apache Web Server"
+HOMEPAGE="https://httpd.apache.org/"
+
+# some helper scripts are Apache-1.1, thus both are here
+LICENSE="Apache-2.0 Apache-1.1"
+SLOT="2"
+KEYWORDS="alpha amd64 arm ~arm64 hppa ia64 ~mips ppc ppc64 ~s390 ~sh sparc x86 ~amd64-fbsd ~x86-fbsd"
+IUSE=""
+
+src_configure() {
+	# Brain dead check.
+	tc-is-cross-compiler && export ap_cv_void_ptr_lt_long="no"
+
+	apache-2_src_configure
+}
+
+src_install() {
+	apache-2_src_install
+
+	# install apxs in /usr/bin (bug #502384) and put a symlink into the
+	# old location until all ebuilds and eclasses have been modified to
+	# use the new location.
+	local apxs_dir="/usr/bin"
+	dodir ${apxs_dir}
+	mv "${D}"/usr/sbin/apxs "${D}"${apxs_dir} || die
+	ln -s ../bin/apxs "${D}"/usr/sbin/apxs || die
+
+	systemd_newunit "${FILESDIR}/apache2.2.service" "apache2.service"
+	systemd_dotmpfilesd "${FILESDIR}/apache.conf"
+}

diff --git a/www-servers/apache/files/apache2.2.service b/www-servers/apache/files/apache2.2.service
new file mode 100644
index 00000000000..76f783a423b
--- /dev/null
+++ b/www-servers/apache/files/apache2.2.service
@@ -0,0 +1,19 @@
+[Unit]
+Description=The Apache HTTP Server
+After=network.target remote-fs.target nss-lookup.target
+
+[Service]
+EnvironmentFile=/etc/conf.d/apache2
+ExecStart=/usr/sbin/apache2 $APACHE2_OPTS -DFOREGROUND
+ExecReload=/usr/sbin/apache2 $APACHE2_OPTS -k graceful
+ExecStop=/usr/sbin/apache2 $APACHE2_OPTS -k graceful-stop
+# We want systemd to give httpd some time to finish gracefully, but still want
+# it to kill httpd after TimeoutStopSec if something went wrong during the
+# graceful stop. Normally, Systemd sends SIGTERM signal right after the
+# ExecStop, which would kill httpd. We are sending useless SIGCONT here to give
+# httpd time to finish.
+KillSignal=SIGCONT
+PrivateTmp=true
+
+[Install]
+WantedBy=multi-user.target


^ permalink raw reply related	[flat|nested] 15+ messages in thread
* [gentoo-commits] repo/gentoo:master commit in: www-servers/apache/, www-servers/apache/files/
@ 2018-03-26  9:19 Lars Wendler
  0 siblings, 0 replies; 15+ messages in thread
From: Lars Wendler @ 2018-03-26  9:19 UTC (permalink / raw
  To: gentoo-commits

commit:     551a46a19cefaf4502e7f80823fe4cae7a56cdac
Author:     Lars Wendler <polynomial-c <AT> gentoo <DOT> org>
AuthorDate: Mon Mar 26 09:17:56 2018 +0000
Commit:     Lars Wendler <polynomial-c <AT> gentoo <DOT> org>
CommitDate: Mon Mar 26 09:19:22 2018 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=551a46a1

www-servers/apache: Bye bye apache-2.2

Package-Manager: Portage-2.3.24, Repoman-2.3.6

 www-servers/apache/Manifest                |   2 -
 www-servers/apache/apache-2.2.34.ebuild    | 114 -----------------------------
 www-servers/apache/files/apache2.2.service |  19 -----
 3 files changed, 135 deletions(-)

diff --git a/www-servers/apache/Manifest b/www-servers/apache/Manifest
index 93c910dd717..2c8bcbc430a 100644
--- a/www-servers/apache/Manifest
+++ b/www-servers/apache/Manifest
@@ -1,8 +1,6 @@
-DIST gentoo-apache-2.2.34-20170918.tar.bz2 64390 BLAKE2B d3f6d85192706d7c49a38cc36e816b3ae531f8c0d42111c33ec32ed39900d36d8a2a85a5d1b5afca22331137f04fb24fb424a42a21caa7eb4f6906fa39cb8224 SHA512 10b42e50dcc196f60bcaefe90c382d62a61339dd8a56e899d6afb6998be4acdd376e2c3509791f22a0acf99d06add497e32703b6d523f640306a6db5e05f358a
 DIST gentoo-apache-2.4.18-r1-20160303.tar.bz2 24505 BLAKE2B 504deabe5ee9e2b32f44e8ea6cde6f01e7f26643ca05eb0aaf860ab6440d821566f83b5c9aacb2201382f9326974c7dddea4f4289d9da5857762611f424f0395 SHA512 68f0c4de38ae05c45839fe692cbb7de641e331ca133b8aaaf69f3659dec15833cda95e6e074edb3a5b6b6d59b3fc5a4ee3589fff810707fe27417a25cd8a4c4d
 DIST gentoo-apache-2.4.27-20170918.tar.bz2 24850 BLAKE2B a832c2c7a575e167b72214f325cb85922c49969ea8cc4b5821ce97b1d4028ab56852bf416cb32c99f2b2b356545b6fea0af0fa4f6e13bf001393b468357cbcfb SHA512 c58a9a0b171188ff163f6b45c47f243797d4050cf461ba1a642115350285879005be6496cee2031bffaccc0d8beda4c27de87afa2ded17cbe559f792eb7c00e8
 DIST gentoo-apache-2.4.33-20180323.tar.bz2 24804 BLAKE2B 42636b36a917d59a016c1143014292d1d34080f295dbfff54c39b82898f37cf280a0a812c70ebc3544dd93c609a62f098816275f0dea0b94ac4b0fdcabb77c9c SHA512 54bc375908eed2c5f590e4d24eae01b502b366425ddec36113874267a0186f0ee815659f6ed92f91455dfefc16d6a486356694c762fcbe19aed01f8db8da01f7
-DIST httpd-2.2.34.tar.bz2 5779739 BLAKE2B 8cdd41fb5d1880da4a1cfef252b4682f613b938594057ea4c9665d3881a50b298fb7339c1ceb3dafc215aa927048f99d500f2d29c125016d5766954be9b632b4 SHA512 e6dac5865a48533c025fe17523ee74d68c3a23f9512c9441b78a140e33cfb6835573eb049b0ad424eb5c5ca78a1915778c54e8a409da95fbdd3890cb99e08240
 DIST httpd-2.4.27.tar.bz2 6527394 BLAKE2B 50a650eb2edd121dac860ff555273290010d7e85bf4d5fbe3683f82e1928dde99ebfabc42186436f5052a66555a73d8b797b114c76c123faa31b9f51575d0bbb SHA512 7e7e8070715b74cb6890096a74e194f4c6a49c14bda685b1ad832e84312f1ac4316ea03a430e679502bfd8e1853aefa544ee002a20d0f7e994b9a590c74bc42c
 DIST httpd-2.4.29.tar.bz2 6567926 BLAKE2B 01a83212941abad548f73fc144f9731ff51e0ed8f975e76cb994247601f7c2f89a3f862e011638afb77988eda0ef2b543634fb6bc45b583e9bdba2c30e565731 SHA512 840982fd3d21463bc5c1747f211dfacf3abdf634d149e49bb49fd2e5deda140de602dbdf31e1bbe5337a48f718ab2261c408e83a8dd39a9291ee7b6b7a85639a
 DIST httpd-2.4.33.tar.bz2 6934765 BLAKE2B 4ff266b85358e3100c8064c84c89db0235e6f46bb4b308e6b3bf642a9c0815eb6a731ee12e3d8ea2bf31a5d5e6621152452f1e8a9625755689f552f2473b1955 SHA512 e74b2b3346d67be45a8bc8a7cbb8eabf5c403a5cfe5797a976f94a539529843fbcdf03b9ca0548816b2cf37f4ce0eb301f8d5af25b1270fdf8dd9f5bf0585269

diff --git a/www-servers/apache/apache-2.2.34.ebuild b/www-servers/apache/apache-2.2.34.ebuild
deleted file mode 100644
index e17bfb660c5..00000000000
--- a/www-servers/apache/apache-2.2.34.ebuild
+++ /dev/null
@@ -1,114 +0,0 @@
-# Copyright 1999-2018 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI=5
-
-# latest gentoo apache files
-GENTOO_PATCHSTAMP="20170918"
-GENTOO_DEVELOPER="whissi"
-GENTOO_PATCHNAME="gentoo-apache-2.2.34"
-
-# IUSE/USE_EXPAND magic
-IUSE_MPMS_FORK="itk peruser prefork"
-IUSE_MPMS_THREAD="event worker"
-
-IUSE_MODULES="actions alias asis auth_basic auth_digest authn_alias authn_anon
-authn_dbd authn_dbm authn_default authn_file authz_dbm authz_default
-authz_groupfile authz_host authz_owner authz_user autoindex cache cern_meta
-charset_lite cgi cgid dav dav_fs dav_lock dbd deflate dir disk_cache dumpio
-env expires ext_filter file_cache filter headers ident imagemap include info
-log_config log_forensic logio mem_cache mime mime_magic negotiation proxy
-proxy_ajp proxy_balancer proxy_connect proxy_ftp proxy_http proxy_scgi rewrite
-reqtimeout setenvif speling status substitute unique_id userdir usertrack
-version vhost_alias"
-# The following are also in the source as of this version, but are not available
-# for user selection:
-# bucketeer case_filter case_filter_in echo http isapi optional_fn_export
-# optional_fn_import optional_hook_export optional_hook_import
-
-# inter-module dependencies
-# TODO: this may still be incomplete
-MODULE_DEPENDS="
-	dav_fs:dav
-	dav_lock:dav
-	deflate:filter
-	disk_cache:cache
-	ext_filter:filter
-	file_cache:cache
-	log_forensic:log_config
-	logio:log_config
-	mem_cache:cache
-	mime_magic:mime
-	proxy_ajp:proxy
-	proxy_balancer:proxy
-	proxy_connect:proxy
-	proxy_ftp:proxy
-	proxy_http:proxy
-	proxy_scgi:proxy
-	substitute:filter
-"
-
-# module<->define mappings
-MODULE_DEFINES="
-	auth_digest:AUTH_DIGEST
-	authnz_ldap:AUTHNZ_LDAP
-	cache:CACHE
-	dav:DAV
-	dav_fs:DAV
-	dav_lock:DAV
-	disk_cache:CACHE
-	file_cache:CACHE
-	info:INFO
-	ldap:LDAP
-	mem_cache:CACHE
-	proxy:PROXY
-	proxy_ajp:PROXY
-	proxy_balancer:PROXY
-	proxy_connect:PROXY
-	proxy_ftp:PROXY
-	proxy_http:PROXY
-	ssl:SSL
-	status:STATUS
-	suexec:SUEXEC
-	userdir:USERDIR
-"
-
-# critical modules for the default config
-MODULE_CRITICAL="
-	authz_host
-	dir
-	mime
-"
-
-inherit apache-2 systemd toolchain-funcs
-
-DESCRIPTION="The Apache Web Server"
-HOMEPAGE="https://httpd.apache.org/"
-
-# some helper scripts are Apache-1.1, thus both are here
-LICENSE="Apache-2.0 Apache-1.1"
-SLOT="2"
-KEYWORDS="alpha amd64 arm ~arm64 hppa ia64 ~mips ppc ppc64 ~s390 ~sh sparc x86 ~amd64-fbsd ~x86-fbsd"
-IUSE=""
-
-src_configure() {
-	# Brain dead check.
-	tc-is-cross-compiler && export ap_cv_void_ptr_lt_long="no"
-
-	apache-2_src_configure
-}
-
-src_install() {
-	apache-2_src_install
-
-	# install apxs in /usr/bin (bug #502384) and put a symlink into the
-	# old location until all ebuilds and eclasses have been modified to
-	# use the new location.
-	local apxs_dir="/usr/bin"
-	dodir ${apxs_dir}
-	mv "${D}"/usr/sbin/apxs "${D}"${apxs_dir} || die
-	ln -s ../bin/apxs "${D}"/usr/sbin/apxs || die
-
-	systemd_newunit "${FILESDIR}/apache2.2.service" "apache2.service"
-	systemd_dotmpfilesd "${FILESDIR}/apache.conf"
-}

diff --git a/www-servers/apache/files/apache2.2.service b/www-servers/apache/files/apache2.2.service
deleted file mode 100644
index 76f783a423b..00000000000
--- a/www-servers/apache/files/apache2.2.service
+++ /dev/null
@@ -1,19 +0,0 @@
-[Unit]
-Description=The Apache HTTP Server
-After=network.target remote-fs.target nss-lookup.target
-
-[Service]
-EnvironmentFile=/etc/conf.d/apache2
-ExecStart=/usr/sbin/apache2 $APACHE2_OPTS -DFOREGROUND
-ExecReload=/usr/sbin/apache2 $APACHE2_OPTS -k graceful
-ExecStop=/usr/sbin/apache2 $APACHE2_OPTS -k graceful-stop
-# We want systemd to give httpd some time to finish gracefully, but still want
-# it to kill httpd after TimeoutStopSec if something went wrong during the
-# graceful stop. Normally, Systemd sends SIGTERM signal right after the
-# ExecStop, which would kill httpd. We are sending useless SIGCONT here to give
-# httpd time to finish.
-KillSignal=SIGCONT
-PrivateTmp=true
-
-[Install]
-WantedBy=multi-user.target


^ permalink raw reply related	[flat|nested] 15+ messages in thread
* [gentoo-commits] repo/gentoo:master commit in: www-servers/apache/, www-servers/apache/files/
@ 2017-01-12 22:55 Lars Wendler
  0 siblings, 0 replies; 15+ messages in thread
From: Lars Wendler @ 2017-01-12 22:55 UTC (permalink / raw
  To: gentoo-commits

commit:     2f7d831f153cd5c11ec1001fc86b0d0dfb1fa1d2
Author:     Lars Wendler <polynomial-c <AT> gentoo <DOT> org>
AuthorDate: Thu Jan 12 22:52:51 2017 +0000
Commit:     Lars Wendler <polynomial-c <AT> gentoo <DOT> org>
CommitDate: Thu Jan 12 22:52:51 2017 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2f7d831f

www-servers/apache: Removed old.

Package-Manager: Portage-2.3.3, Repoman-2.3.1

 www-servers/apache/apache-2.2.31.ebuild           | 115 ------
 www-servers/apache/apache-2.4.23.ebuild           | 237 -----------
 www-servers/apache/files/apache-2.4.12-alpn.patch | 476 ----------------------
 3 files changed, 828 deletions(-)

diff --git a/www-servers/apache/apache-2.2.31.ebuild b/www-servers/apache/apache-2.2.31.ebuild
deleted file mode 100644
index 6a3ac35..00000000
--- a/www-servers/apache/apache-2.2.31.ebuild
+++ /dev/null
@@ -1,115 +0,0 @@
-# Copyright 1999-2015 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-# $Id$
-
-EAPI=5
-
-# latest gentoo apache files
-GENTOO_PATCHSTAMP="20140922"
-GENTOO_DEVELOPER="polynomial-c"
-GENTOO_PATCHNAME="gentoo-apache-2.2.29"
-
-# IUSE/USE_EXPAND magic
-IUSE_MPMS_FORK="itk peruser prefork"
-IUSE_MPMS_THREAD="event worker"
-
-IUSE_MODULES="actions alias asis auth_basic auth_digest authn_alias authn_anon
-authn_dbd authn_dbm authn_default authn_file authz_dbm authz_default
-authz_groupfile authz_host authz_owner authz_user autoindex cache cern_meta
-charset_lite cgi cgid dav dav_fs dav_lock dbd deflate dir disk_cache dumpio
-env expires ext_filter file_cache filter headers ident imagemap include info
-log_config log_forensic logio mem_cache mime mime_magic negotiation proxy
-proxy_ajp proxy_balancer proxy_connect proxy_ftp proxy_http proxy_scgi rewrite
-reqtimeout setenvif speling status substitute unique_id userdir usertrack
-version vhost_alias"
-# The following are also in the source as of this version, but are not available
-# for user selection:
-# bucketeer case_filter case_filter_in echo http isapi optional_fn_export
-# optional_fn_import optional_hook_export optional_hook_import
-
-# inter-module dependencies
-# TODO: this may still be incomplete
-MODULE_DEPENDS="
-	dav_fs:dav
-	dav_lock:dav
-	deflate:filter
-	disk_cache:cache
-	ext_filter:filter
-	file_cache:cache
-	log_forensic:log_config
-	logio:log_config
-	mem_cache:cache
-	mime_magic:mime
-	proxy_ajp:proxy
-	proxy_balancer:proxy
-	proxy_connect:proxy
-	proxy_ftp:proxy
-	proxy_http:proxy
-	proxy_scgi:proxy
-	substitute:filter
-"
-
-# module<->define mappings
-MODULE_DEFINES="
-	auth_digest:AUTH_DIGEST
-	authnz_ldap:AUTHNZ_LDAP
-	cache:CACHE
-	dav:DAV
-	dav_fs:DAV
-	dav_lock:DAV
-	disk_cache:CACHE
-	file_cache:CACHE
-	info:INFO
-	ldap:LDAP
-	mem_cache:CACHE
-	proxy:PROXY
-	proxy_ajp:PROXY
-	proxy_balancer:PROXY
-	proxy_connect:PROXY
-	proxy_ftp:PROXY
-	proxy_http:PROXY
-	ssl:SSL
-	status:STATUS
-	suexec:SUEXEC
-	userdir:USERDIR
-"
-
-# critical modules for the default config
-MODULE_CRITICAL="
-	authz_host
-	dir
-	mime
-"
-
-inherit apache-2 systemd toolchain-funcs
-
-DESCRIPTION="The Apache Web Server"
-HOMEPAGE="https://httpd.apache.org/"
-
-# some helper scripts are Apache-1.1, thus both are here
-LICENSE="Apache-2.0 Apache-1.1"
-SLOT="2"
-KEYWORDS="alpha amd64 arm ~arm64 hppa ia64 ~mips ppc ppc64 ~s390 ~sh sparc x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd"
-IUSE=""
-
-src_configure() {
-	# Brain dead check.
-	tc-is-cross-compiler && export ap_cv_void_ptr_lt_long="no"
-
-	apache-2_src_configure
-}
-
-src_install() {
-	apache-2_src_install
-
-	# install apxs in /usr/bin (bug #502384) and put a symlink into the
-	# old location until all ebuilds and eclasses have been modified to
-	# use the new location.
-	local apxs_dir="/usr/bin"
-	dodir ${apxs_dir}
-	mv "${D}"/usr/sbin/apxs "${D}"${apxs_dir} || die
-	ln -s ../bin/apxs "${D}"/usr/sbin/apxs || die
-
-	systemd_newunit "${FILESDIR}/apache2.2.service" "apache2.service"
-	systemd_dotmpfilesd "${FILESDIR}/apache.conf"
-}

diff --git a/www-servers/apache/apache-2.4.23.ebuild b/www-servers/apache/apache-2.4.23.ebuild
deleted file mode 100644
index 9d254fa..00000000
--- a/www-servers/apache/apache-2.4.23.ebuild
+++ /dev/null
@@ -1,237 +0,0 @@
-# Copyright 1999-2016 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-# $Id$
-
-EAPI=5
-
-# latest gentoo apache files
-GENTOO_PATCHSTAMP="20160303"
-GENTOO_DEVELOPER="polynomial-c"
-GENTOO_PATCHNAME="gentoo-apache-2.4.18-r1"
-
-# IUSE/USE_EXPAND magic
-IUSE_MPMS_FORK="prefork"
-IUSE_MPMS_THREAD="event worker"
-
-# << obsolete modules:
-# authn_default authz_default mem_cache
-# mem_cache is replaced by cache_disk
-# ?? buggy modules
-# proxy_scgi: startup error: undefined symbol "ap_proxy_release_connection", no fix found
-# >> added modules for reason:
-# compat: compatibility with 2.2 access control
-# authz_host: new module for access control
-# authn_core: functionality provided by authn_alias in previous versions
-# authz_core: new module, provides core authorization capabilities
-# cache_disk: replacement for mem_cache
-# lbmethod_byrequests: Split off from mod_proxy_balancer in 2.3
-# lbmethod_bytraffic: Split off from mod_proxy_balancer in 2.3
-# lbmethod_bybusyness: Split off from mod_proxy_balancer in 2.3
-# lbmethod_heartbeat: Split off from mod_proxy_balancer in 2.3
-# slotmem_shm: Slot-based shared memory provider (for lbmethod_byrequests).
-# socache_shmcb: shared object cache provider. Default config with ssl needs it
-# unixd: fixes startup error: Invalid command 'User'
-IUSE_MODULES="access_compat actions alias asis auth_basic auth_digest
-authn_alias authn_anon authn_core authn_dbd authn_dbm authn_file authz_core
-authz_dbd authz_dbm authz_groupfile authz_host authz_owner authz_user autoindex
-cache cache_disk cern_meta charset_lite cgi cgid dav dav_fs dav_lock dbd deflate
-dir dumpio env expires ext_filter file_cache filter headers http2 ident imagemap
-include info lbmethod_byrequests lbmethod_bytraffic lbmethod_bybusyness
-lbmethod_heartbeat log_config log_forensic logio macro mime mime_magic negotiation
-proxy proxy_ajp proxy_balancer proxy_connect proxy_ftp proxy_html proxy_http proxy_scgi
-proxy_fcgi  proxy_wstunnel rewrite ratelimit remoteip reqtimeout setenvif
-slotmem_shm speling socache_shmcb status substitute unique_id userdir usertrack
-unixd version vhost_alias"
-# The following are also in the source as of this version, but are not available
-# for user selection:
-# bucketeer case_filter case_filter_in echo http isapi optional_fn_export
-# optional_fn_import optional_hook_export optional_hook_import
-
-# inter-module dependencies
-# TODO: this may still be incomplete
-MODULE_DEPENDS="
-	dav_fs:dav
-	dav_lock:dav
-	deflate:filter
-	cache_disk:cache
-	ext_filter:filter
-	file_cache:cache
-	lbmethod_byrequests:proxy_balancer
-	lbmethod_byrequests:slotmem_shm
-	lbmethod_bytraffic:proxy_balancer
-	lbmethod_bybusyness:proxy_balancer
-	lbmethod_heartbeat:proxy_balancer
-	log_forensic:log_config
-	logio:log_config
-	cache_disk:cache
-	mime_magic:mime
-	proxy_ajp:proxy
-	proxy_balancer:proxy
-	proxy_balancer:slotmem_shm
-	proxy_connect:proxy
-	proxy_ftp:proxy
-	proxy_html:proxy
-	proxy_http:proxy
-	proxy_scgi:proxy
-	proxy_fcgi:proxy
-	proxy_wstunnel:proxy
-	substitute:filter
-"
-
-# module<->define mappings
-MODULE_DEFINES="
-	auth_digest:AUTH_DIGEST
-	authnz_ldap:AUTHNZ_LDAP
-	cache:CACHE
-	cache_disk:CACHE
-	dav:DAV
-	dav_fs:DAV
-	dav_lock:DAV
-	file_cache:CACHE
-	http2:HTTP2
-	info:INFO
-	ldap:LDAP
-	proxy:PROXY
-	proxy_ajp:PROXY
-	proxy_balancer:PROXY
-	proxy_connect:PROXY
-	proxy_ftp:PROXY
-	proxy_html:PROXY
-	proxy_http:PROXY
-	proxy_fcgi:PROXY
-	proxy_scgi:PROXY
-	proxy_wstunnel:PROXY
-	socache_shmcb:SSL
-	ssl:SSL
-	status:STATUS
-	suexec:SUEXEC
-	userdir:USERDIR
-"
-
-# critical modules for the default config
-MODULE_CRITICAL="
-	authn_core
-	authz_core
-	authz_host
-	dir
-	mime
-	unixd
-"
-inherit eutils apache-2 systemd toolchain-funcs
-
-DESCRIPTION="The Apache Web Server"
-HOMEPAGE="https://httpd.apache.org/"
-
-# some helper scripts are Apache-1.1, thus both are here
-LICENSE="Apache-2.0 Apache-1.1"
-SLOT="2"
-KEYWORDS="alpha amd64 arm ~arm64 hppa ia64 ~mips ppc ppc64 ~s390 ~sh sparc x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~amd64-linux ~x64-macos ~x86-macos ~m68k-mint ~sparc64-solaris ~x64-solaris"
-
-DEPEND+="apache2_modules_http2? ( >=net-libs/nghttp2-1.2.1 )"
-
-REQUIRED_USE="apache2_modules_http2? ( ssl )"
-
-pkg_setup() {
-	# dependend critical modules which are not allowed in global scope due
-	# to USE flag conditionals (bug #499260)
-	use ssl && MODULE_CRITICAL+=" socache_shmcb"
-	use doc && MODULE_CRITICAL+=" alias negotiation setenvif"
-	apache-2_pkg_setup
-}
-
-src_configure() {
-	# Brain dead check.
-	tc-is-cross-compiler && export ap_cv_void_ptr_lt_long="no"
-
-	apache-2_src_configure
-}
-
-src_compile() {
-	if tc-is-cross-compiler; then
-		# This header is the same across targets, so use the build compiler.
-		pushd server >/dev/null
-		emake gen_test_char
-		tc-export_build_env BUILD_CC
-		${BUILD_CC} ${BUILD_CFLAGS} ${BUILD_CPPFLAGS} ${BUILD_LDFLAGS} \
-			gen_test_char.c -o gen_test_char $(apr-1-config --includes) || die
-		popd >/dev/null
-	fi
-
-	default
-}
-
-src_install() {
-	apache-2_src_install
-	for i in /usr/bin/{htdigest,logresolve,htpasswd,htdbm,ab,httxt2dbm}; do
-		rm "${ED}"/$i || die "Failed to prune apache-tools bits"
-	done
-	for i in /usr/share/man/man8/{rotatelogs.8,htcacheclean.8}; do
-		rm "${ED}"/$i || die "Failed to prune apache-tools bits"
-	done
-	for i in /usr/share/man/man1/{logresolve.1,htdbm.1,htdigest.1,htpasswd.1,dbmmanage.1,ab.1}; do
-		rm "${ED}"/$i || die "Failed to prune apache-tools bits"
-	done
-	for i in /usr/sbin/{checkgid,fcgistarter,htcacheclean,rotatelogs}; do
-		rm "${ED}/"$i || die "Failed to prune apache-tools bits"
-	done
-
-	# install apxs in /usr/bin (bug #502384) and put a symlink into the
-	# old location until all ebuilds and eclasses have been modified to
-	# use the new location.
-	local apxs="/usr/bin/apxs"
-	cp "${S}"/support/apxs "${ED}"${apxs} || die "Failed to install apxs"
-	ln -s ../bin/apxs "${ED}"/usr/sbin/apxs || die
-	chmod 0755 "${ED}"${apxs} || die
-
-	# Note: wait for mod_systemd to be included in the next release,
-	# then apache2.4.service can be used and systemd support controlled
-	# through --enable-systemd
-	systemd_newunit "${FILESDIR}/apache2.2.service" "apache2.service"
-	systemd_dotmpfilesd "${FILESDIR}/apache.conf"
-	#insinto /etc/apache2/modules.d
-	#doins "${FILESDIR}/00_systemd.conf"
-
-	# Install http2 module config
-	insinto /etc/apache2/modules.d
-	doins "${FILESDIR}"/41_mod_http2.conf
-}
-
-pkg_postinst()
-{
-	apache-2_pkg_postinst || die "apache-2_pkg_postinst failed"
-	# warnings that default config might not work out of the box
-	for mod in $MODULE_CRITICAL; do
-		if ! use "apache2_modules_${mod}"; then
-			echo
-			ewarn "Warning: Critical module not installed!"
-			ewarn "Modules 'authn_core', 'authz_core' and 'unixd'"
-			ewarn "are highly recomended but might not be in the base profile yet."
-			ewarn "Default config for ssl needs module 'socache_shmcb'."
-			ewarn "Enabling the following flags is highly recommended:"
-			for cmod in $MODULE_CRITICAL; do
-				use "apache2_modules_${cmod}" || \
-					ewarn "+ apache2_modules_${cmod}"
-			done
-			echo
-			break
-		fi
-	done
-	# warning for proxy_balancer and missing load balancing scheduler
-	if use apache2_modules_proxy_balancer; then
-		local lbset=
-		for mod in lbmethod_byrequests lbmethod_bytraffic lbmethod_bybusyness lbmethod_heartbeat; do
-			if use "apache2_modules_${mod}"; then
-				lbset=1 && break
-			fi
-		done
-		if [ ! $lbset ]; then
-			echo
-			ewarn "Info: Missing load balancing scheduler algorithm module"
-			ewarn "(They were split off from proxy_balancer in 2.3)"
-			ewarn "In order to get the ability of load balancing, at least"
-			ewarn "one of these modules has to be present:"
-			ewarn "lbmethod_byrequests lbmethod_bytraffic lbmethod_bybusyness lbmethod_heartbeat"
-			echo
-		fi
-	fi
-}

diff --git a/www-servers/apache/files/apache-2.4.12-alpn.patch b/www-servers/apache/files/apache-2.4.12-alpn.patch
deleted file mode 100644
index 25bb6e1..00000000
--- a/www-servers/apache/files/apache-2.4.12-alpn.patch
+++ /dev/null
@@ -1,476 +0,0 @@
-https://bugs.gentoo.org/471512
-
-upstream apache has merged alpn into trunk:
-https://issues.apache.org/bugzilla/show_bug.cgi?id=52210
-note: the bug is closed INVALID due to the npn discussion; go to the bottom to
-see alpn merged into it trunk.  unfortunately, it wasn't merged into the 2.4
-branch.
-
-the mod_h2 project has backported it to the 2.4 branch:
-https://github.com/icing/mod_h2/tree/master/sandbox/httpd/patches
-commit 73e4d0e9c813b58581a32a6948780fa948094cc1
-
---- modules/ssl/mod_ssl.c
-+++ modules/ssl/mod_ssl.c
-@@ -273,6 +273,12 @@
-                 "OpenSSL configuration command")
- #endif
- 
-+#ifdef HAVE_TLS_ALPN
-+    SSL_CMD_SRV(ALPNPreference, ITERATE,
-+                "Preference in Application-Layer Protocol Negotiation (ALPN), "
-+                "protocols are chosen in the specified order")
-+#endif
-+
-     /* Deprecated directives. */
-     AP_INIT_RAW_ARGS("SSLLog", ap_set_deprecated, NULL, OR_ALL,
-       "SSLLog directive is no longer supported - use ErrorLog."),
-@@ -423,12 +448,44 @@
-     return 1;
- }
- 
-+static int modssl_register_alpn(conn_rec *c,
-+                               ssl_alpn_propose_protos advertisefn,
-+                               ssl_alpn_proto_negotiated negotiatedfn)
-+{
-+#ifdef HAVE_TLS_ALPN
-+    SSLConnRec *sslconn = myConnConfig(c);
-+
-+    if (!sslconn) {
-+        return DECLINED;
-+    }
-+
-+    if (!sslconn->alpn_proposefns) {
-+        sslconn->alpn_proposefns =
-+        apr_array_make(c->pool, 5, sizeof(ssl_alpn_propose_protos));
-+        sslconn->alpn_negofns =
-+        apr_array_make(c->pool, 5, sizeof(ssl_alpn_proto_negotiated));
-+    }
-+
-+    if (advertisefn)
-+        APR_ARRAY_PUSH(sslconn->alpn_proposefns, ssl_alpn_propose_protos) =
-+            advertisefn;
-+    if (negotiatedfn)
-+        APR_ARRAY_PUSH(sslconn->alpn_negofns, ssl_alpn_proto_negotiated) =
-+            negotiatedfn;
-+
-+    return OK;
-+#else
-+    return DECLINED;
-+#endif
-+}
-+
- int ssl_init_ssl_connection(conn_rec *c, request_rec *r)
- {
-     SSLSrvConfigRec *sc;
-     SSL *ssl;
-     SSLConnRec *sslconn = myConnConfig(c);
-     char *vhost_md5;
-+    int rc;
-     modssl_ctx_t *mctx;
-     server_rec *server;
- 
-@@ -585,6 +647,7 @@
- 
-     APR_REGISTER_OPTIONAL_FN(ssl_proxy_enable);
-     APR_REGISTER_OPTIONAL_FN(ssl_engine_disable);
-+    APR_REGISTER_OPTIONAL_FN(modssl_register_alpn);
- 
-     ap_register_auth_provider(p, AUTHZ_PROVIDER_GROUP, "ssl",
-                               AUTHZ_PROVIDER_VERSION,
---- modules/ssl/mod_ssl.h
-+++ modules/ssl/mod_ssl.h
-@@ -63,5 +93,46 @@
- 
- APR_DECLARE_OPTIONAL_FN(int, ssl_engine_disable, (conn_rec *));
- 
-+/** The alpn_propose_proto callback allows other modules to propose
-+ * the name of the protocol that will be chosen during the
-+ * Application-Layer Protocol Negotiation (ALPN) portion of the SSL handshake.
-+ * The callback is given the connection and a list of NULL-terminated
-+ * protocol strings as supported by the client.  If this client_protos is
-+ * non-empty, it must pick its preferred protocol from that list. Otherwise
-+ * it should add its supported protocols in order of precedence.
-+ * The callback should not yet modify the connection or install any filters
-+ * as its proposal(s) may be overridden by another callback or server
-+ * configuration.
-+ * It should return OK or, to prevent further processing of (other modules')
-+ * callbacks, return DONE.
-+ */
-+typedef int (*ssl_alpn_propose_protos)(conn_rec *connection,
-+                                    apr_array_header_t *client_protos,
-+                                    apr_array_header_t *proposed_protos);
-+
-+/** The alpn_proto_negotiated callback allows other modules to discover
-+ * the name of the protocol that was chosen during the Application-Layer
-+ * Protocol Negotiation (ALPN) portion of the SSL handshake.
-+ * The callback is given the connection, a
-+ * non-NUL-terminated string containing the protocol name, and the
-+ * length of the string; it should do something appropriate
-+ * (i.e. insert or remove filters) and return OK. To prevent further
-+ * processing of (other modules') callbacks, return DONE. */
-+typedef int (*ssl_alpn_proto_negotiated)(conn_rec *connection,
-+                                        const char *proto_name,
-+                                        apr_size_t proto_name_len);
-+
-+/* An optional function which can be used to register a pair of callbacks
-+ * for ALPN handling.
-+ * This optional function should be invoked from a pre_connection hook
-+ * which runs *after* mod_ssl.c's pre_connection hook.  The function returns
-+ * OK if the callbacks are registered, or DECLINED otherwise (for example if
-+ * mod_ssl does not support ALPN).
-+ */
-+APR_DECLARE_OPTIONAL_FN(int, modssl_register_alpn,
-+                        (conn_rec *conn,
-+                         ssl_alpn_propose_protos proposefn,
-+                         ssl_alpn_proto_negotiated negotiatedfn));
-+
- #endif /* __MOD_SSL_H__ */
- /** @} */
---- modules/ssl/ssl_engine_config.c
-+++ modules/ssl/ssl_engine_config.c
-@@ -159,6 +160,9 @@
-     SSL_CONF_CTX_set_flags(mctx->ssl_ctx_config, SSL_CONF_FLAG_CERTIFICATE);
-     mctx->ssl_ctx_param = apr_array_make(p, 5, sizeof(ssl_ctx_param_t));
- #endif
-+#ifdef HAVE_TLS_ALPN
-+    mctx->ssl_alpn_pref = apr_array_make(p, 5, sizeof(const char *));
-+#endif
- }
- 
- static void modssl_ctx_init_proxy(SSLSrvConfigRec *sc,
-@@ -301,6 +307,9 @@
- #ifdef HAVE_SSL_CONF_CMD
-     cfgMergeArray(ssl_ctx_param);
- #endif
-+#ifdef HAVE_TLS_ALPN
-+    cfgMergeArray(ssl_alpn_pref);
-+#endif
- }
- 
- static void modssl_ctx_cfg_merge_proxy(apr_pool_t *p,
-@@ -1875,6 +1868,16 @@
- }
- #endif
- 
-+#ifdef HAVE_TLS_ALPN
-+const char *ssl_cmd_SSLALPNPreference(cmd_parms *cmd, void *dcfg,
-+                                      const char *protocol)
-+{
-+    SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
-+    APR_ARRAY_PUSH(sc->server->ssl_alpn_pref, const char *) = protocol;
-+    return NULL;
-+}
-+#endif
-+
- #ifdef HAVE_SRP
- 
- const char *ssl_cmd_SSLSRPVerifierFile(cmd_parms *cmd, void *dcfg,
---- modules/ssl/ssl_engine_init.c
-+++ modules/ssl/ssl_engine_init.c
-@@ -623,6 +646,11 @@
-     SSL_CTX_set_tmp_dh_callback(ctx,  ssl_callback_TmpDH);
- 
-     SSL_CTX_set_info_callback(ctx, ssl_callback_Info);
-+
-+#ifdef HAVE_TLS_ALPN
-+    SSL_CTX_set_alpn_select_cb(
-+       ctx, ssl_callback_alpn_select, NULL);
-+#endif
- }
- 
- static apr_status_t ssl_init_ctx_verify(server_rec *s,
---- modules/ssl/ssl_engine_io.c
-+++ modules/ssl/ssl_engine_io.c
-@@ -28,6 +28,7 @@
-                                   core keeps dumping.''
-                                             -- Unknown    */
- #include "ssl_private.h"
-+#include "mod_ssl.h"
- #include "apr_date.h"
- 
- /*  _________________________________________________________________
-@@ -297,6 +315,9 @@
-     apr_pool_t *pool;
-     char buffer[AP_IOBUFSIZE];
-     ssl_filter_ctx_t *filter_ctx;
-+#ifdef HAVE_TLS_ALPN
-+    int alpn_finished;  /* 1 if ALPN has finished, 0 otherwise */
-+#endif
- } bio_filter_in_ctx_t;
- 
- /*
-@@ -1412,6 +1485,37 @@
-         APR_BRIGADE_INSERT_TAIL(bb, bucket);
-     }
- 
-+#ifdef HAVE_TLS_ALPN
-+    /* By this point, Application-Layer Protocol Negotiation (ALPN) should be
-+     * completed (if our version of OpenSSL supports it). If we haven't already,
-+     * find out which protocol was decided upon and inform other modules
-+     * by calling alpn_proto_negotiated_hook.
-+     */
-+    if (!inctx->alpn_finished) {
-+        SSLConnRec *sslconn = myConnConfig(f->c);
-+        const unsigned char *next_proto = NULL;
-+        unsigned next_proto_len = 0;
-+        int n;
-+
-+        if (sslconn->alpn_negofns) {
-+            SSL_get0_alpn_selected(inctx->ssl, &next_proto, &next_proto_len);
-+            ap_log_cerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, f->c,
-+                          APLOGNO(02836) "SSL negotiated protocol: '%s'",
-+                          (next_proto && next_proto_len)?
-+                         apr_pstrmemdup(f->c->pool, (const char *)next_proto,
-+                              next_proto_len) : "(null)");
-+            for (n = 0; n < sslconn->alpn_negofns->nelts; n++) {
-+                ssl_alpn_proto_negotiated fn =
-+                APR_ARRAY_IDX(sslconn->alpn_negofns, n, ssl_alpn_proto_negotiated);
-+
-+                if (fn(f->c, (const char *)next_proto, next_proto_len) == DONE)
-+                break;
-+            }
-+        }
-+        inctx->alpn_finished = 1;
-+    }
-+#endif
-+
-     return APR_SUCCESS;
- }
- 
-@@ -1893,6 +1996,9 @@
-     inctx->block = APR_BLOCK_READ;
-     inctx->pool = c->pool;
-     inctx->filter_ctx = filter_ctx;
-+#ifdef HAVE_TLS_ALPN
-+    inctx->alpn_finished = 0;
-+#endif
- }
- 
- /* The request_rec pointer is passed in here only to ensure that the
---- modules/ssl/ssl_engine_kernel.c
-+++ modules/ssl/ssl_engine_kernel.c
-@@ -29,6 +29,7 @@
-                                   time I was too famous.''
-                                             -- Unknown                */
- #include "ssl_private.h"
-+#include "mod_ssl.h"
- #include "util_md5.h"
- 
- static void ssl_configure_env(request_rec *r, SSLConnRec *sslconn);
-@@ -2137,6 +2162,153 @@
- }
- #endif /* HAVE_TLS_SESSION_TICKETS */
- 
-+#ifdef HAVE_TLS_ALPN
-+static int ssl_array_index(apr_array_header_t *array,
-+                           const char *s)
-+{
-+    int i;
-+    for (i = 0; i < array->nelts; i++) {
-+        const char *p = APR_ARRAY_IDX(array, i, const char*);
-+        if (!strcmp(p, s)) {
-+            return i;
-+        }
-+    }
-+    return -1;
-+}
-+
-+/*
-+ * Compare two ALPN protocol proposal. Result is similar to strcmp():
-+ * 0 gives same precedence, >0 means proto1 is prefered.
-+ */
-+static int ssl_cmp_alpn_protos(modssl_ctx_t *ctx,
-+                               const char *proto1,
-+                               const char *proto2)
-+{
-+    /* TODO: we should have a mod_ssl configuration parameter. */
-+    if (ctx && ctx->ssl_alpn_pref) {
-+        int index1 = ssl_array_index(ctx->ssl_alpn_pref, proto1);
-+        int index2 = ssl_array_index(ctx->ssl_alpn_pref, proto2);
-+        if (index2 > index1) {
-+            return (index1 >= 0)? 1 : -1;
-+        }
-+        else if (index1 > index2) {
-+            return (index2 >= 0)? -1 : 1;
-+        }
-+    }
-+    /* both have the same index (mabye -1 or no pref configured) and we compare
-+     * the names so that spdy3 gets precedence over spdy2. That makes
-+     * the outcome at least deterministic. */
-+    return strcmp((const char *)proto1, (const char *)proto2);
-+}
-+
-+/*
-+ * This callback function is executed when the TLS Application Layer
-+ * Protocol Negotiate Extension (ALPN, RFC 7301) is triggered by the client
-+ * hello, giving a list of desired protocol names (in descending preference)
-+ * to the server.
-+ * The callback has to select a protocol name or return an error if none of
-+ * the clients preferences is supported.
-+ * The selected protocol does not have to be on the client list, according
-+ * to RFC 7301, so no checks are performed.
-+ * The client protocol list is serialized as length byte followed by ascii
-+ * characters (not null-terminated), followed by the next protocol name.
-+ */
-+int ssl_callback_alpn_select(SSL *ssl,
-+                             const unsigned char **out, unsigned char *outlen,
-+                             const unsigned char *in, unsigned int inlen, void *arg)
-+{
-+    conn_rec *c = (conn_rec*)SSL_get_app_data(ssl);
-+    SSLConnRec *sslconn = myConnConfig(c);
-+    server_rec *s       = mySrvFromConn(c);
-+    SSLSrvConfigRec *sc = mySrvConfig(s);
-+    modssl_ctx_t *mctx  = myCtxConfig(sslconn, sc);
-+    const char *alpn_http1 = "http/1.1";
-+    apr_array_header_t *client_protos;
-+    apr_array_header_t *proposed_protos;
-+    int i;
-+    size_t len;
-+
-+    /* If the connection object is not available,
-+     * then there's nothing for us to do. */
-+    if (c == NULL) {
-+        return SSL_TLSEXT_ERR_OK;
-+    }
-+
-+    if (inlen == 0) {
-+        // someone tries to trick us?
-+        ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, APLOGNO(02837)
-+                      "ALPN client protocol list empty");
-+        return SSL_TLSEXT_ERR_ALERT_FATAL;
-+    }
-+
-+    client_protos = apr_array_make(c->pool, 0, sizeof(char *));
-+    for (i = 0; i < inlen; /**/) {
-+        unsigned int plen = in[i++];
-+        if (plen + i > inlen) {
-+            // someone tries to trick us?
-+            ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, APLOGNO(02838)
-+                          "ALPN protocol identier too long");
-+            return SSL_TLSEXT_ERR_ALERT_FATAL;
-+        }
-+        APR_ARRAY_PUSH(client_protos, char*) =
-+            apr_pstrndup(c->pool, (const char *)in+i, plen);
-+        i += plen;
-+    }
-+
-+    proposed_protos = apr_array_make(c->pool, client_protos->nelts+1,
-+                                     sizeof(char *));
-+
-+    if (sslconn->alpn_proposefns != NULL) {
-+        /* Invoke our alpn_propos_proto hooks, giving other modules a chance to
-+         * propose protocol names for selection. We might have several such
-+         * hooks installed and if two make a proposal, we need to give
-+         * preference to one.
-+         */
-+        for (i = 0; i < sslconn->alpn_proposefns->nelts; i++) {
-+            ssl_alpn_propose_protos fn =
-+                APR_ARRAY_IDX(sslconn->alpn_proposefns, i,
-+                              ssl_alpn_propose_protos);
-+
-+            if (fn(c, client_protos, proposed_protos) == DONE)
-+                break;
-+        }
-+    }
-+
-+    if (proposed_protos->nelts <= 0) {
-+        /* Regardless of installed hooks, the http/1.1 protocol is always
-+         * supported by us. Choose it if none other matches. */
-+        if (ssl_array_index(client_protos, alpn_http1) < 0) {
-+            ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, APLOGNO(02839)
-+                          "none of the client ALPN protocols are supported");
-+            return SSL_TLSEXT_ERR_ALERT_FATAL;
-+        }
-+        *out = (const unsigned char*)alpn_http1;
-+        *outlen = (unsigned char)strlen(alpn_http1);
-+        return SSL_TLSEXT_ERR_OK;
-+    }
-+
-+    /* Now select the most preferred protocol from the proposals. */
-+    *out = APR_ARRAY_IDX(proposed_protos, 0, const unsigned char *);
-+    for (i = 1; i < proposed_protos->nelts; ++i) {
-+        const char *proto = APR_ARRAY_IDX(proposed_protos, i, const char*);
-+        /* Do we prefer it over existing candidate? */
-+        if (ssl_cmp_alpn_protos(mctx, (const char *)*out, proto) < 0) {
-+            *out = (const unsigned char*)proto;
-+        }
-+    }
-+
-+    len = strlen((const char*)*out);
-+    if (len > 255) {
-+        ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, APLOGNO(02840)
-+                      "ALPN negotiated protocol name too long");
-+        return SSL_TLSEXT_ERR_ALERT_FATAL;
-+    }
-+    *outlen = (unsigned char)len;
-+
-+    return SSL_TLSEXT_ERR_OK;
-+}
-+#endif
-+
- #ifdef HAVE_SRP
- 
- int ssl_callback_SRPServerParams(SSL *ssl, int *ad, void *arg)
---- modules/ssl/ssl_private.h
-+++ modules/ssl/ssl_private.h
-@@ -182,6 +182,11 @@
- #include <openssl/srp.h>
- #endif
- 
-+/* ALPN Protocol Negotiation */
-+#if defined(TLSEXT_TYPE_application_layer_protocol_negotiation)
-+#define HAVE_TLS_ALPN
-+#endif
-+
- #endif /* !defined(OPENSSL_NO_TLSEXT) && defined(SSL_set_tlsext_host_name) */
- 
- /* mod_ssl headers */
-@@ -443,6 +438,12 @@
-                      * connection */
-     } reneg_state;
- 
-+#ifdef HAVE_TLS_ALPN
-+    /* Poor man's inter-module optional hooks for ALPN. */
-+    apr_array_header_t *alpn_proposefns; /* list of ssl_alpn_propose_protos callbacks */
-+    apr_array_header_t *alpn_negofns; /* list of ssl_alpn_proto_negotiated callbacks. */
-+#endif
-+
-     server_rec *server;
- } SSLConnRec;
- 
-@@ -633,6 +633,10 @@
-     SSL_CONF_CTX *ssl_ctx_config; /* Configuration context */
-     apr_array_header_t *ssl_ctx_param; /* parameters to pass to SSL_CTX */
- #endif
-+
-+#ifdef HAVE_TLS_ALPN
-+  apr_array_header_t *ssl_alpn_pref; /* protocol names in order of preference */
-+#endif
- } modssl_ctx_t;
- 
- struct SSLSrvConfigRec {
-@@ -763,6 +763,10 @@
- const char *ssl_cmd_SSLOpenSSLConfCmd(cmd_parms *cmd, void *dcfg, const char *arg1, const char *arg2);
- #endif
- 
-+#ifdef HAVE_TLS_ALPN
-+const char *ssl_cmd_SSLALPNPreference(cmd_parms *cmd, void *dcfg, const char *protocol);
-+#endif
-+
- #ifdef HAVE_SRP
- const char *ssl_cmd_SSLSRPVerifierFile(cmd_parms *cmd, void *dcfg, const char *arg);
- const char *ssl_cmd_SSLSRPUnknownUserSeed(cmd_parms *cmd, void *dcfg, const char *arg);
-@@ -815,6 +815,12 @@
-                                        EVP_CIPHER_CTX *, HMAC_CTX *, int);
- #endif
- 
-+#ifdef HAVE_TLS_ALPN
-+int ssl_callback_alpn_select(SSL *ssl, const unsigned char **out,
-+                             unsigned char *outlen, const unsigned char *in,
-+                             unsigned int inlen, void *arg);
-+#endif
-+
- /**  Session Cache Support  */
- apr_status_t ssl_scache_init(server_rec *, apr_pool_t *);
- void         ssl_scache_status_register(apr_pool_t *p);


^ permalink raw reply related	[flat|nested] 15+ messages in thread
* [gentoo-commits] repo/gentoo:master commit in: www-servers/apache/, www-servers/apache/files/
@ 2016-08-13 20:51 Richard Freeman
  0 siblings, 0 replies; 15+ messages in thread
From: Richard Freeman @ 2016-08-13 20:51 UTC (permalink / raw
  To: gentoo-commits

commit:     4a99c7205e6f7af2d7ecb37fb0ea36cd73a6fbf7
Author:     Richard Freeman <rich0 <AT> gentoo <DOT> org>
AuthorDate: Sat Aug 13 20:50:20 2016 +0000
Commit:     Richard Freeman <rich0 <AT> gentoo <DOT> org>
CommitDate: Sat Aug 13 20:51:12 2016 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4a99c720

www-servers/apache: add systemd hardening

Bug: 586984

Package-Manager: portage-2.2.28

 www-servers/apache/apache-2.4.23-r1.ebuild         | 237 +++++++++++++++++++++
 .../apache/files/apache2.2-hardened.service        |  27 +++
 2 files changed, 264 insertions(+)

diff --git a/www-servers/apache/apache-2.4.23-r1.ebuild b/www-servers/apache/apache-2.4.23-r1.ebuild
new file mode 100644
index 0000000..3b4efa3
--- /dev/null
+++ b/www-servers/apache/apache-2.4.23-r1.ebuild
@@ -0,0 +1,237 @@
+# Copyright 1999-2016 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+EAPI=5
+
+# latest gentoo apache files
+GENTOO_PATCHSTAMP="20160303"
+GENTOO_DEVELOPER="polynomial-c"
+GENTOO_PATCHNAME="gentoo-apache-2.4.18-r1"
+
+# IUSE/USE_EXPAND magic
+IUSE_MPMS_FORK="prefork"
+IUSE_MPMS_THREAD="event worker"
+
+# << obsolete modules:
+# authn_default authz_default mem_cache
+# mem_cache is replaced by cache_disk
+# ?? buggy modules
+# proxy_scgi: startup error: undefined symbol "ap_proxy_release_connection", no fix found
+# >> added modules for reason:
+# compat: compatibility with 2.2 access control
+# authz_host: new module for access control
+# authn_core: functionality provided by authn_alias in previous versions
+# authz_core: new module, provides core authorization capabilities
+# cache_disk: replacement for mem_cache
+# lbmethod_byrequests: Split off from mod_proxy_balancer in 2.3
+# lbmethod_bytraffic: Split off from mod_proxy_balancer in 2.3
+# lbmethod_bybusyness: Split off from mod_proxy_balancer in 2.3
+# lbmethod_heartbeat: Split off from mod_proxy_balancer in 2.3
+# slotmem_shm: Slot-based shared memory provider (for lbmethod_byrequests).
+# socache_shmcb: shared object cache provider. Default config with ssl needs it
+# unixd: fixes startup error: Invalid command 'User'
+IUSE_MODULES="access_compat actions alias asis auth_basic auth_digest
+authn_alias authn_anon authn_core authn_dbd authn_dbm authn_file authz_core
+authz_dbd authz_dbm authz_groupfile authz_host authz_owner authz_user autoindex
+cache cache_disk cern_meta charset_lite cgi cgid dav dav_fs dav_lock dbd deflate
+dir dumpio env expires ext_filter file_cache filter headers http2 ident imagemap
+include info lbmethod_byrequests lbmethod_bytraffic lbmethod_bybusyness
+lbmethod_heartbeat log_config log_forensic logio macro mime mime_magic negotiation
+proxy proxy_ajp proxy_balancer proxy_connect proxy_ftp proxy_html proxy_http proxy_scgi
+proxy_fcgi  proxy_wstunnel rewrite ratelimit remoteip reqtimeout setenvif
+slotmem_shm speling socache_shmcb status substitute unique_id userdir usertrack
+unixd version vhost_alias"
+# The following are also in the source as of this version, but are not available
+# for user selection:
+# bucketeer case_filter case_filter_in echo http isapi optional_fn_export
+# optional_fn_import optional_hook_export optional_hook_import
+
+# inter-module dependencies
+# TODO: this may still be incomplete
+MODULE_DEPENDS="
+	dav_fs:dav
+	dav_lock:dav
+	deflate:filter
+	cache_disk:cache
+	ext_filter:filter
+	file_cache:cache
+	lbmethod_byrequests:proxy_balancer
+	lbmethod_byrequests:slotmem_shm
+	lbmethod_bytraffic:proxy_balancer
+	lbmethod_bybusyness:proxy_balancer
+	lbmethod_heartbeat:proxy_balancer
+	log_forensic:log_config
+	logio:log_config
+	cache_disk:cache
+	mime_magic:mime
+	proxy_ajp:proxy
+	proxy_balancer:proxy
+	proxy_balancer:slotmem_shm
+	proxy_connect:proxy
+	proxy_ftp:proxy
+	proxy_html:proxy
+	proxy_http:proxy
+	proxy_scgi:proxy
+	proxy_fcgi:proxy
+	proxy_wstunnel:proxy
+	substitute:filter
+"
+
+# module<->define mappings
+MODULE_DEFINES="
+	auth_digest:AUTH_DIGEST
+	authnz_ldap:AUTHNZ_LDAP
+	cache:CACHE
+	cache_disk:CACHE
+	dav:DAV
+	dav_fs:DAV
+	dav_lock:DAV
+	file_cache:CACHE
+	http2:HTTP2
+	info:INFO
+	ldap:LDAP
+	proxy:PROXY
+	proxy_ajp:PROXY
+	proxy_balancer:PROXY
+	proxy_connect:PROXY
+	proxy_ftp:PROXY
+	proxy_html:PROXY
+	proxy_http:PROXY
+	proxy_fcgi:PROXY
+	proxy_scgi:PROXY
+	proxy_wstunnel:PROXY
+	socache_shmcb:SSL
+	ssl:SSL
+	status:STATUS
+	suexec:SUEXEC
+	userdir:USERDIR
+"
+
+# critical modules for the default config
+MODULE_CRITICAL="
+	authn_core
+	authz_core
+	authz_host
+	dir
+	mime
+	unixd
+"
+inherit eutils apache-2 systemd toolchain-funcs
+
+DESCRIPTION="The Apache Web Server"
+HOMEPAGE="https://httpd.apache.org/"
+
+# some helper scripts are Apache-1.1, thus both are here
+LICENSE="Apache-2.0 Apache-1.1"
+SLOT="2"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~amd64-linux ~x64-macos ~x86-macos ~m68k-mint ~sparc64-solaris ~x64-solaris"
+
+DEPEND+="apache2_modules_http2? ( >=net-libs/nghttp2-1.2.1 )"
+
+REQUIRED_USE="apache2_modules_http2? ( ssl )"
+
+pkg_setup() {
+	# dependend critical modules which are not allowed in global scope due
+	# to USE flag conditionals (bug #499260)
+	use ssl && MODULE_CRITICAL+=" socache_shmcb"
+	use doc && MODULE_CRITICAL+=" alias negotiation setenvif"
+	apache-2_pkg_setup
+}
+
+src_configure() {
+	# Brain dead check.
+	tc-is-cross-compiler && export ap_cv_void_ptr_lt_long="no"
+
+	apache-2_src_configure
+}
+
+src_compile() {
+	if tc-is-cross-compiler; then
+		# This header is the same across targets, so use the build compiler.
+		pushd server >/dev/null
+		emake gen_test_char
+		tc-export_build_env BUILD_CC
+		${BUILD_CC} ${BUILD_CFLAGS} ${BUILD_CPPFLAGS} ${BUILD_LDFLAGS} \
+			gen_test_char.c -o gen_test_char $(apr-1-config --includes) || die
+		popd >/dev/null
+	fi
+
+	default
+}
+
+src_install() {
+	apache-2_src_install
+	for i in /usr/bin/{htdigest,logresolve,htpasswd,htdbm,ab,httxt2dbm}; do
+		rm "${ED}"/$i || die "Failed to prune apache-tools bits"
+	done
+	for i in /usr/share/man/man8/{rotatelogs.8,htcacheclean.8}; do
+		rm "${ED}"/$i || die "Failed to prune apache-tools bits"
+	done
+	for i in /usr/share/man/man1/{logresolve.1,htdbm.1,htdigest.1,htpasswd.1,dbmmanage.1,ab.1}; do
+		rm "${ED}"/$i || die "Failed to prune apache-tools bits"
+	done
+	for i in /usr/sbin/{checkgid,fcgistarter,htcacheclean,rotatelogs}; do
+		rm "${ED}/"$i || die "Failed to prune apache-tools bits"
+	done
+
+	# install apxs in /usr/bin (bug #502384) and put a symlink into the
+	# old location until all ebuilds and eclasses have been modified to
+	# use the new location.
+	local apxs="/usr/bin/apxs"
+	cp "${S}"/support/apxs "${ED}"${apxs} || die "Failed to install apxs"
+	ln -s ../bin/apxs "${ED}"/usr/sbin/apxs || die
+	chmod 0755 "${ED}"${apxs} || die
+
+	# Note: wait for mod_systemd to be included in the next release,
+	# then apache2.4.service can be used and systemd support controlled
+	# through --enable-systemd
+	systemd_newunit "${FILESDIR}/apache2.2-hardened.service" "apache2.service"
+	systemd_dotmpfilesd "${FILESDIR}/apache.conf"
+	#insinto /etc/apache2/modules.d
+	#doins "${FILESDIR}/00_systemd.conf"
+
+	# Install http2 module config
+	insinto /etc/apache2/modules.d
+	doins "${FILESDIR}"/41_mod_http2.conf
+}
+
+pkg_postinst()
+{
+	apache-2_pkg_postinst || die "apache-2_pkg_postinst failed"
+	# warnings that default config might not work out of the box
+	for mod in $MODULE_CRITICAL; do
+		if ! use "apache2_modules_${mod}"; then
+			echo
+			ewarn "Warning: Critical module not installed!"
+			ewarn "Modules 'authn_core', 'authz_core' and 'unixd'"
+			ewarn "are highly recomended but might not be in the base profile yet."
+			ewarn "Default config for ssl needs module 'socache_shmcb'."
+			ewarn "Enabling the following flags is highly recommended:"
+			for cmod in $MODULE_CRITICAL; do
+				use "apache2_modules_${cmod}" || \
+					ewarn "+ apache2_modules_${cmod}"
+			done
+			echo
+			break
+		fi
+	done
+	# warning for proxy_balancer and missing load balancing scheduler
+	if use apache2_modules_proxy_balancer; then
+		local lbset=
+		for mod in lbmethod_byrequests lbmethod_bytraffic lbmethod_bybusyness lbmethod_heartbeat; do
+			if use "apache2_modules_${mod}"; then
+				lbset=1 && break
+			fi
+		done
+		if [ ! $lbset ]; then
+			echo
+			ewarn "Info: Missing load balancing scheduler algorithm module"
+			ewarn "(They were split off from proxy_balancer in 2.3)"
+			ewarn "In order to get the ability of load balancing, at least"
+			ewarn "one of these modules has to be present:"
+			ewarn "lbmethod_byrequests lbmethod_bytraffic lbmethod_bybusyness lbmethod_heartbeat"
+			echo
+		fi
+	fi
+}

diff --git a/www-servers/apache/files/apache2.2-hardened.service b/www-servers/apache/files/apache2.2-hardened.service
new file mode 100644
index 0000000..7a512a7
--- /dev/null
+++ b/www-servers/apache/files/apache2.2-hardened.service
@@ -0,0 +1,27 @@
+[Unit]
+Description=The Apache HTTP Server
+After=network.target remote-fs.target nss-lookup.target
+
+[Service]
+EnvironmentFile=/etc/conf.d/apache2
+ExecStart=/usr/sbin/apache2 $APACHE2_OPTS -DFOREGROUND
+ExecReload=/usr/sbin/apache2 $APACHE2_OPTS -k graceful
+ExecStop=/usr/sbin/apache2 $APACHE2_OPTS -k graceful-stop
+# We want systemd to give httpd some time to finish gracefully, but still want
+# it to kill httpd after TimeoutStopSec if something went wrong during the
+# graceful stop. Normally, Systemd sends SIGTERM signal right after the
+# ExecStop, which would kill httpd. We are sending useless SIGCONT here to give
+# httpd time to finish.
+KillSignal=SIGCONT
+PrivateTmp=true
+#Hardening
+PrivateTmp=true
+CapabilityBoundingSet=CAP_CHOWN CAP_SETGID CAP_SETUID CAP_DAC_OVERRIDE CAP_KILL CAP_NET_BIND_SERVICE CAP_IPC_LOCK
+SecureBits=noroot-locked
+ProtectSystem=full
+NoNewPrivileges=true
+PrivateDevices=true
+MemoryDenyWriteExecute=true
+
+[Install]
+WantedBy=multi-user.target


^ permalink raw reply related	[flat|nested] 15+ messages in thread

end of thread, other threads:[~2024-05-11  6:21 UTC | newest]

Thread overview: 15+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2018-04-20  3:11 [gentoo-commits] repo/gentoo:master commit in: www-servers/apache/, www-servers/apache/files/ Aaron Bauman
  -- strict thread matches above, loose matches on Subject: below --
2024-05-11  6:21 Hans de Graaff
2024-04-13  6:30 Hans de Graaff
2022-07-27  9:43 Hans de Graaff
2022-07-11  9:11 Hans de Graaff
2022-06-29  8:39 Sam James
2021-11-16  4:06 Michael Orlitzky
2021-05-01 18:07 Sam James
2019-12-10 15:00 Lars Wendler
2019-04-21  2:14 Lars Wendler
2018-08-24  0:56 Thomas Deutschmann
2018-03-26 17:47 Lars Wendler
2018-03-26  9:19 Lars Wendler
2017-01-12 22:55 Lars Wendler
2016-08-13 20:51 Richard Freeman

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox