Merge 11-Dev back into master#12983
Merged
cmcfarlen merged 54 commits intoapache:masterfrom Mar 18, 2026
Merged
Conversation
Conflicts:
CMakeLists.txt
Conflicts are related to: apache#11157
There were no conflicts.
Conflicts:
include/iocore/net/TLSSessionResumptionSupport.h
src/iocore/net/SSLUtils.cc
Conflicts:
doc/admin-guide/files/records.yaml.en.rst
The conflict is a result of apache#11157 but is easy enough to resolve since Conflicts: src/api/InkAPI.cc
Conflicts:
CMakeLists.txt
```
FAILED: src/iocore/net/CMakeFiles/inknet.dir/SSLUtils.cc.o
/Library/Developer/CommandLineTools/usr/bin/clang++ -DDEBUG -DOPENSSL_API_COMPAT=10002 -DOPENSSL_IS_OPENSSL3 -DPACKAGE_NAME="\"Apache Traffic Server\"" -DPACKAGE_VERSION=\"11.0.0\" -D_DEBUG -Ddarwin -I/Users/bneradt/project_not_synced/repos/ts_os/include -I/Users/bneradt/project_not_synced/repos/ts_os/build/include -I/Users/bneradt/project_not_synced/repos/ts_os/lib/swoc/include -I/Users/bneradt/project_not_synced/repos/ts_os/lib/yamlcpp/include -isystem /opt/ats_h3_tools/openssl-quic/include -isystem /opt/homebrew/include -isystem /Users/bneradt/project_not_synced/repos/ts_os/lib/systemtap -isystem /opt/homebrew/Cellar/pcre2/10.44/include -Qunused-arguments -g -std=c++20 -arch arm64 -isysroot /Library/Developer/CommandLineTools/SDKs/MacOSX15.2.sdk -Wno-invalid-offsetof -pipe -Wall -Wextra -Wno-noexcept-type -Wsuggest-override -Wno-vla-extension -fno-strict-aliasing -Wno-deprecated-declarations -Werror -MD -MT src/iocore/net/CMakeFiles/inknet.dir/SSLUtils.cc.o -MF src/iocore/net/CMakeFiles/inknet.dir/SSLUtils.cc.o.d -o src/iocore/net/CMakeFiles/inknet.dir/SSLUtils.cc.o -c /Users/bneradt/project_not_synced/repos/ts_os/src/iocore/net/SSLUtils.cc
/Users/bneradt/project_not_synced/repos/ts_os/src/iocore/net/SSLUtils.cc:1284:57: error: unused parameter 'ctx' [-Werror,-Wunused-parameter]
1284 | SSLMultiCertConfigLoader::_setup_session_cache(SSL_CTX *ctx)
| ^
1 error generated.
```
Co-authored-by: bneradt <bneradt@yahooinc.com>
Conflicts:
src/api/InkAPI.cc
Conflicts:
doc/admin-guide/files/records.yaml.en.rst
src/iocore/net/SSLConfig.cc
src/records/RecordsConfig.cc
tests/gold_tests/pluginTest/stek_share/stek_share.test.py
tests/gold_tests/tls/tls_0rtt_server.test.py
tests/gold_tests/tls/tls_origin_session_reuse.test.py
tests/gold_tests/tls/tls_session_reuse.test.py
Conflicts:
include/iocore/net/TLSSessionResumptionSupport.h
src/iocore/net/SSLSessionCache.cc
src/iocore/net/TLSSessionResumptionSupport.cc
No conflicts.
The 11-Dev branch has removed the TLS session caching feature, but did not update the docs to remove references to it. This made the docs build to fail. This updates the docs to remove session cache references.
There were no conflicts.
Detect and ignore Cache-Control directives that are malformed (e.g., using semicolons instead of commas). When the parser cannot fully consume a Cache-Control directive value, leaving unparsed non-whitespace content, the directive is treated as unrecognized and ignored per RFC 7234 Section 5.2. For example, a malformed header such as 'public; max-age=30' (note the incorrect semicolon separator) would previously set the 'public' bit but ignore the unparsed 'max-age=30', causing the response to be cached with incorrect heuristic lifetimes. Not only is this incorrect per the RFC, but the intended max-age was, from the user's perspective, mysteriously ignored. Now the entire malformed directive is ignored, allowing default caching rules to apply correctly. Fixes: apache#12029
Replace the ssl_multicert.config format with YAML format, following the pattern established by sni.yaml. The new ssl_multicert.yaml uses a top-level 'ssl_multicert' key containing a sequence of certificate entries. This also supports config conversion via: traffic_ctl config ssl_multicert <old_config> <new_config>
Conflicts: doc/developer-guide/testing/blackbox-testing.en.rst src/iocore/net/SSLSessionCache.cc
Set proxy.config.http.cache.targeted_cache_control_headers to CDN-Cache-Control by default for 11-Dev so targeted cache control is active out of the box. Update admin docs and release notes to reflect the new default and document that an empty value disables targeted cache control. Extend targeted-cache-control AuTest coverage to verify default behavior without remap override, while preserving remap override coverage for header priority and custom targeted headers. Co-authored-by: bneradt <bneradt@yahooinc.com>
…ache#12892) ATS Configuration Reload with observability/tracing — Token model Replace the fire-and-forget configuration reload mechanism with a new token-based, observable reload framework. Every reload operation is now assigned a unique token, tracked through a task tree, and queryable via CLI or JSONRPC at any point after submission. Core components introduced: - ConfigRegistry: centralized singleton for config file registration, filename records, trigger records, and reload handlers. Replaces the scattered registration across AddConfigFilesHere.cc and individual modules. - ReloadCoordinator: manages reload session lifecycle including token generation, concurrency control (--force to override), timeout detection, and rolling history. - ConfigReloadTask: tracks a single reload as a tree of sub-tasks with per-handler status, timings, and logs. - ConfigContext: lightweight context passed to handlers providing in_progress(), complete(), fail(), log(), supplied_yaml(), and add_dependent_ctx(). Safe no-op at startup when no reload is active. - ConfigReloadProgress: periodic checker that detects stuck tasks and marks them as TIMEOUT. New traffic_ctl commands: - config reload [-m] [-t <token>] [-d @file] [--force] - config status [-t <token>] [-c all] All commands support --format json for automation and CI pipelines. New JSONRPC APIs: - admin_config_reload: unified file-based or inline reload with token, force, and configs parameters. - get_reload_config_status: query reload status by token or get the last N reloads. Migrated config handlers to ConfigRegistry: ip_allow, cache_control, cache_hosting, parent_proxy, split_dns, remap, logging, ssl_client_coordinator (with sni.yaml and ssl_multicert.config as dependencies), ssl_ticket_key, records, and pre-warm. Static configs (storage, volume, plugin, socks, jsonrpc) registered as inventory-only. Removed legacy ConfigUpdateHandler/ConfigUpdateContinuation from ConfigProcessor.h. Removed AddConfigFilesHere.cc in favor of per-module self-registration. Fixed duplicate handler execution for configs with multiple trigger records (e.g. ssl_client_coordinator) by deduplicating against the ConfigReloadTask subtask tree. Added RecFlushConfigUpdateCbs() to synchronously fire pending record callbacks after rereadConfig(), ensuring all subtasks are registered before the first status poll. New configuration records: - proxy.config.admin.reload.timeout (default: 1h) - proxy.config.admin.reload.check_interval (default: 2s) Backward compatible: existing `traffic_ctl config reload` works as before; internally it now uses the new framework with automatic token assignment and tracking.
Conflicts: include/ts/ts.h include/tscore/ArgParser.h src/iocore/cache/P_CacheHosting.h src/proxy/ReverseProxy.cc src/tscore/ArgParser.cc
3 tasks
Contributor
|
The AuTest 0of4 failure is caused by The On --- a/tests/gold_tests/autest-site/ats_replay.test.ext
+++ b/tests/gold_tests/autest-site/ats_replay.test.ext
@@ -43,11 +43,11 @@
# TLS configs
enable_tls = process_config.get('enable_tls', False)
if enable_tls:
- # Configure ssl_multicert.config if specified.
- ssl_multicert_config = ats_config.get('ssl_multicert_config', [])
+ # Configure ssl_multicert.yaml if specified.
+ ssl_multicert_yaml = ats_config.get('ssl_multicert_yaml', [])
- # setup default cert and key ssl_multicert_config is empty
- if ssl_multicert_config == []:
+ # setup default cert and key if ssl_multicert_yaml is empty
+ if ssl_multicert_yaml == []:
ts.addDefaultSSLFiles()
ts.Disk.records_config.update(
@@ -56,10 +56,15 @@
'proxy.config.ssl.server.private_key.path': ts.Variables.SSLDir,
})
- ssl_multicert_config = ["dest_ip=* ssl_cert_name=server.pem ssl_key_name=server.key"]
+ ssl_multicert_yaml = [
+ "ssl_multicert:",
+ " - ssl_cert_name: server.pem",
+ " ssl_key_name: server.key",
+ ' dest_ip: "*"',
+ ]
- for line in ssl_multicert_config:
- ts.Disk.ssl_multicert_config.AddLine(line)
+ for line in ssl_multicert_yaml:
+ ts.Disk.ssl_multicert_yaml.AddLine(line)Verified in the Fedora 42 CI Docker image — |
3 tasks
…sl_multicert.config to ssl_multicert.yaml migration (apache#12755) removed the TLS block from ats_replay.test.ext, but ATSReplayTest still needs it for tests using enable_tls (e.g. chunked_encoding large_chunked). Add the TLS configuration back using the new ssl_multicert.yaml format. (apache#12992) (cherry picked from commit 20bf38c)
bryancall
approved these changes
Mar 18, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
6 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.