argh. i tested http <-> https and https <-> https, but never https <-> http. it is indeed broken, although i don't see how it ever could have worked, unless mod_proxy was somehow removing the ssl filter by accident (which it had been at one point during keepalives after the first request).
problem is that the mod_ssl always adds its filters if SSLEngine is On for the given c->base_server. it has no way of knowing that it is being triggered by the proxy. one fix (patch below) is to add another optional function to disable the ssl engine for a given conn_rec at request time. proxy imports this function and calls it to disable the ssl filters unless the backend server requires an ssl connection. Index: modules/proxy/mod_proxy.c =================================================================== RCS file: /home/cvs/httpd-2.0/modules/proxy/mod_proxy.c,v retrieving revision 1.79 diff -u -r1.79 mod_proxy.c --- modules/proxy/mod_proxy.c 1 Apr 2002 02:39:31 -0000 1.79 +++ modules/proxy/mod_proxy.c 7 Apr 2002 02:24:37 -0000 @@ -1048,8 +1048,10 @@ }; APR_DECLARE_OPTIONAL_FN(int, ssl_proxy_enable, (conn_rec *)); +APR_DECLARE_OPTIONAL_FN(int, ssl_engine_disable, (conn_rec *)); static APR_OPTIONAL_FN_TYPE(ssl_proxy_enable) *proxy_ssl_enable = NULL; +static APR_OPTIONAL_FN_TYPE(ssl_engine_disable) *proxy_ssl_disable = NULL; PROXY_DECLARE(int) ap_proxy_ssl_enable(conn_rec *c) { @@ -1064,10 +1066,20 @@ return 0; } +PROXY_DECLARE(int) ap_proxy_ssl_disable(conn_rec *c) +{ + if (proxy_ssl_disable) { + return proxy_ssl_disable(c); + } + + return 0; +} + static int proxy_post_config(apr_pool_t *pconf, apr_pool_t *plog, apr_pool_t *ptemp, server_rec *s) { proxy_ssl_enable = APR_RETRIEVE_OPTIONAL_FN(ssl_proxy_enable); + proxy_ssl_disable = APR_RETRIEVE_OPTIONAL_FN(ssl_engine_disable); return OK; } Index: modules/proxy/mod_proxy.h =================================================================== RCS file: /home/cvs/httpd-2.0/modules/proxy/mod_proxy.h,v retrieving revision 1.78 diff -u -r1.78 mod_proxy.h --- modules/proxy/mod_proxy.h 2 Apr 2002 04:30:49 -0000 1.78 +++ modules/proxy/mod_proxy.h 7 Apr 2002 02:24:37 -0000 @@ -274,5 +274,6 @@ PROXY_DECLARE(void) ap_proxy_table_unmerge(apr_pool_t *p, apr_table_t *t, char *key); PROXY_DECLARE(int) ap_proxy_connect_to_backend(apr_socket_t **, const char *, apr_sockaddr_t *, const char *, proxy_server_conf *, server_rec *, apr_pool_t *); PROXY_DECLARE(int) ap_proxy_ssl_enable(conn_rec *c); +PROXY_DECLARE(int) ap_proxy_ssl_disable(conn_rec *c); #endif /*MOD_PROXY_H*/ Index: modules/proxy/proxy_http.c =================================================================== RCS file: /home/cvs/httpd-2.0/modules/proxy/proxy_http.c,v retrieving revision 1.144 diff -u -r1.144 proxy_http.c --- modules/proxy/proxy_http.c 5 Apr 2002 18:08:07 -0000 1.144 +++ modules/proxy/proxy_http.c 7 Apr 2002 02:24:38 -0000 @@ -389,11 +389,16 @@ backend->hostname = apr_pstrdup(c->pool, p_conn->name); backend->port = p_conn->port; - if (backend->is_ssl && !ap_proxy_ssl_enable(backend->connection)) { - ap_log_error(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, - r->server, "proxy: failed to enable ssl support " - "for %pI (%s)", p_conn->addr, p_conn->name); - return HTTP_INTERNAL_SERVER_ERROR; + if (backend->is_ssl) { + if (!ap_proxy_ssl_enable(backend->connection)) { + ap_log_error(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, + r->server, "proxy: failed to enable ssl support " + "for %pI (%s)", p_conn->addr, p_conn->name); + return HTTP_INTERNAL_SERVER_ERROR; + } + } + else { + ap_proxy_ssl_disable(backend->connection); } ap_log_error(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, r->server, Index: modules/ssl/mod_ssl.c =================================================================== RCS file: /home/cvs/httpd-2.0/modules/ssl/mod_ssl.c,v retrieving revision 1.62 diff -u -r1.62 mod_ssl.c --- modules/ssl/mod_ssl.c 2 Apr 2002 17:30:08 -0000 1.62 +++ modules/ssl/mod_ssl.c 7 Apr 2002 02:24:38 -0000 @@ -252,6 +252,24 @@ } sslconn->is_proxy = 1; + sslconn->disabled = 0; + + return 1; +} + +int ssl_engine_disable(conn_rec *c) +{ + SSLSrvConfigRec *sc = mySrvConfig(c->base_server); + + SSLConnRec *sslconn; + + if (!sc->enabled) { + return FALSE; + } + + sslconn = ssl_init_connection_ctx(c); + + sslconn->disabled = 1; return 1; } @@ -279,6 +297,10 @@ sslconn = ssl_init_connection_ctx(c); } + if (sslconn->disabled) { + return DECLINED; + } + sslconn->log_level = sc->log_level; /* @@ -560,6 +582,7 @@ ssl_var_register(); APR_REGISTER_OPTIONAL_FN(ssl_proxy_enable); + APR_REGISTER_OPTIONAL_FN(ssl_engine_disable); } module AP_MODULE_DECLARE_DATA ssl_module = { Index: modules/ssl/mod_ssl.h =================================================================== RCS file: /home/cvs/httpd-2.0/modules/ssl/mod_ssl.h,v retrieving revision 1.112 diff -u -r1.112 mod_ssl.h --- modules/ssl/mod_ssl.h 30 Mar 2002 06:46:24 -0000 1.112 +++ modules/ssl/mod_ssl.h 7 Apr 2002 02:24:38 -0000 @@ -432,6 +432,7 @@ int verify_depth; int log_level; /* for avoiding expensive logging */ int is_proxy; + int disabled; } SSLConnRec; #define SSLConnLogApplies(sslconn, level) (sslconn->log_level >= level) @@ -722,8 +723,11 @@ /* Proxy Support */ int ssl_proxy_enable(conn_rec *c); +int ssl_engine_disable(conn_rec *c); APR_DECLARE_OPTIONAL_FN(int, ssl_proxy_enable, (conn_rec *)); + +APR_DECLARE_OPTIONAL_FN(int, ssl_engine_disable, (conn_rec *)); /* I/O */ void ssl_io_filter_init(conn_rec *, SSL *);