Bill Stoddard wrote: > The create_connection hook has a fatal design flaw. create_conn is run before > ap_update_vhost_given_ip(), which means that it is impossible to install input and >output > filters based on vhost info. > > I want to install SSL_IN and SSL_OUT filters if the request is coming in to a >vhost/port > enabled for SSL and that can't be done with the create_connection hook. > > Bill >
On that point. I don't think there is any way of inserting a proxy specifc filter either, as their is now way for the hook to know what kind of request is the connection is for. > >>>One Nov. 12, Ryan committed a patch creating the create_conn hook. The >>>idea was to move >>>the client_socket out of the conn_rec presumably to make available >>> >>only to >> >>>the core_in and >>>core_out filters. However, I just found a backdoor... >>> >>>In core_create_conn() the socket is saved away thusly: >>>ap_set_module_config(net->c->conn_config, &core_module, csd); >>> >>>And whoever needs to access the socket does this: >>>apr_socket_t *csd = ap_get_module_config(f->c->conn_config, >>> >>&core_module); >> >>That hack was added because the proxy does the completely wrong thing >>with regard to handing sockets. In order to finish the Nov. 12 patch, I >>need to rip a lot of logic out of the proxy and re-implement, which I >>haven't had time to do recently. The only other module that should use >>the get_module_config hack is the perchild module, which is also doing >>to completely wrong thing with regard to sockets, but I haven't had time >>to fix that one either. >> >> >> >>>So the goal of hiding the socket is completely blown. The Nov. 11 >>> >>change >> >>>added a lot of >>>complexity to the server (hard to read/understand code) in pursuit of >>> >>a >> >>>goal that is then >>>immediately circumvented by the ap_get|set_module_config. So we made >>> >>the >> >>>server more >>>complex for no reason. >>> >>It actually isn't blown. Try writing a module that implements a non TCP >>socket, and it will work as long as you don't use the proxy or the >>perchild module. As proof, look at the fact that the Unix MPMs have >>been using that mechanism to handle the pipe_of_death. This allowed me >>to remove the ugly hacks at the beginning of the accept loop, which >>checked for the POD. >> >>Also, a big portion of the Nov 12 patch was to consolidate the accept >>functions for Unix and BeOS, which has meant far less duplicated code in >>the server. >> >> >>>I am on the verge of vetoing the Nov. 12 patch in favor of moving the >>>client_socket back >>>into the con_rec. >>> >>>Comments? >>> >>Please don't let two mis-behaved modules color your judgment on this. >>Both proxy and perchild must be re-written if they are going to be >>clean, and once that is done the stupid set_module_config can be >>removed. In fact, the server ran for over a day without the >>set_module_config, but that broke the proxy, so I added the hack to >>allow the proxy to continue to work, while I worked to solve the >>underlying problem. Unfortunately, work and some extracurricular >>activities have stopped me from contributing much code recently. >>Hopefully, I will have time to code again soon. >> >>Ryan >> >> >> > >
