argh. i tested http <-> https and https <-> https, but never
https <-> http. it is indeed broken, although i don't see how it ever
could have worked, unless mod_proxy was somehow removing the ssl filter by
accident (which it had been at one point during keepalives after the first
request).
problem is that the mod_ssl always adds its filters if SSLEngine is On for
the given c->base_server. it has no way of knowing that it is being
triggered by the proxy. one fix (patch below) is to add another optional
function to disable the ssl engine for a given conn_rec at request time.
proxy imports this function and calls it to disable the ssl filters unless
the backend server requires an ssl connection.
Index: modules/proxy/mod_proxy.c
===================================================================
RCS file: /home/cvs/httpd-2.0/modules/proxy/mod_proxy.c,v
retrieving revision 1.79
diff -u -r1.79 mod_proxy.c
--- modules/proxy/mod_proxy.c 1 Apr 2002 02:39:31 -0000 1.79
+++ modules/proxy/mod_proxy.c 7 Apr 2002 02:24:37 -0000
@@ -1048,8 +1048,10 @@
};
APR_DECLARE_OPTIONAL_FN(int, ssl_proxy_enable, (conn_rec *));
+APR_DECLARE_OPTIONAL_FN(int, ssl_engine_disable, (conn_rec *));
static APR_OPTIONAL_FN_TYPE(ssl_proxy_enable) *proxy_ssl_enable = NULL;
+static APR_OPTIONAL_FN_TYPE(ssl_engine_disable) *proxy_ssl_disable = NULL;
PROXY_DECLARE(int) ap_proxy_ssl_enable(conn_rec *c)
{
@@ -1064,10 +1066,20 @@
return 0;
}
+PROXY_DECLARE(int) ap_proxy_ssl_disable(conn_rec *c)
+{
+ if (proxy_ssl_disable) {
+ return proxy_ssl_disable(c);
+ }
+
+ return 0;
+}
+
static int proxy_post_config(apr_pool_t *pconf, apr_pool_t *plog,
apr_pool_t *ptemp, server_rec *s)
{
proxy_ssl_enable = APR_RETRIEVE_OPTIONAL_FN(ssl_proxy_enable);
+ proxy_ssl_disable = APR_RETRIEVE_OPTIONAL_FN(ssl_engine_disable);
return OK;
}
Index: modules/proxy/mod_proxy.h
===================================================================
RCS file: /home/cvs/httpd-2.0/modules/proxy/mod_proxy.h,v
retrieving revision 1.78
diff -u -r1.78 mod_proxy.h
--- modules/proxy/mod_proxy.h 2 Apr 2002 04:30:49 -0000 1.78
+++ modules/proxy/mod_proxy.h 7 Apr 2002 02:24:37 -0000
@@ -274,5 +274,6 @@
PROXY_DECLARE(void) ap_proxy_table_unmerge(apr_pool_t *p, apr_table_t *t, char *key);
PROXY_DECLARE(int) ap_proxy_connect_to_backend(apr_socket_t **, const char *,
apr_sockaddr_t *, const char *, proxy_server_conf *, server_rec *, apr_pool_t *);
PROXY_DECLARE(int) ap_proxy_ssl_enable(conn_rec *c);
+PROXY_DECLARE(int) ap_proxy_ssl_disable(conn_rec *c);
#endif /*MOD_PROXY_H*/
Index: modules/proxy/proxy_http.c
===================================================================
RCS file: /home/cvs/httpd-2.0/modules/proxy/proxy_http.c,v
retrieving revision 1.144
diff -u -r1.144 proxy_http.c
--- modules/proxy/proxy_http.c 5 Apr 2002 18:08:07 -0000 1.144
+++ modules/proxy/proxy_http.c 7 Apr 2002 02:24:38 -0000
@@ -389,11 +389,16 @@
backend->hostname = apr_pstrdup(c->pool, p_conn->name);
backend->port = p_conn->port;
- if (backend->is_ssl && !ap_proxy_ssl_enable(backend->connection)) {
- ap_log_error(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0,
- r->server, "proxy: failed to enable ssl support "
- "for %pI (%s)", p_conn->addr, p_conn->name);
- return HTTP_INTERNAL_SERVER_ERROR;
+ if (backend->is_ssl) {
+ if (!ap_proxy_ssl_enable(backend->connection)) {
+ ap_log_error(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0,
+ r->server, "proxy: failed to enable ssl support "
+ "for %pI (%s)", p_conn->addr, p_conn->name);
+ return HTTP_INTERNAL_SERVER_ERROR;
+ }
+ }
+ else {
+ ap_proxy_ssl_disable(backend->connection);
}
ap_log_error(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, r->server,
Index: modules/ssl/mod_ssl.c
===================================================================
RCS file: /home/cvs/httpd-2.0/modules/ssl/mod_ssl.c,v
retrieving revision 1.62
diff -u -r1.62 mod_ssl.c
--- modules/ssl/mod_ssl.c 2 Apr 2002 17:30:08 -0000 1.62
+++ modules/ssl/mod_ssl.c 7 Apr 2002 02:24:38 -0000
@@ -252,6 +252,24 @@
}
sslconn->is_proxy = 1;
+ sslconn->disabled = 0;
+
+ return 1;
+}
+
+int ssl_engine_disable(conn_rec *c)
+{
+ SSLSrvConfigRec *sc = mySrvConfig(c->base_server);
+
+ SSLConnRec *sslconn;
+
+ if (!sc->enabled) {
+ return FALSE;
+ }
+
+ sslconn = ssl_init_connection_ctx(c);
+
+ sslconn->disabled = 1;
return 1;
}
@@ -279,6 +297,10 @@
sslconn = ssl_init_connection_ctx(c);
}
+ if (sslconn->disabled) {
+ return DECLINED;
+ }
+
sslconn->log_level = sc->log_level;
/*
@@ -560,6 +582,7 @@
ssl_var_register();
APR_REGISTER_OPTIONAL_FN(ssl_proxy_enable);
+ APR_REGISTER_OPTIONAL_FN(ssl_engine_disable);
}
module AP_MODULE_DECLARE_DATA ssl_module = {
Index: modules/ssl/mod_ssl.h
===================================================================
RCS file: /home/cvs/httpd-2.0/modules/ssl/mod_ssl.h,v
retrieving revision 1.112
diff -u -r1.112 mod_ssl.h
--- modules/ssl/mod_ssl.h 30 Mar 2002 06:46:24 -0000 1.112
+++ modules/ssl/mod_ssl.h 7 Apr 2002 02:24:38 -0000
@@ -432,6 +432,7 @@
int verify_depth;
int log_level; /* for avoiding expensive logging */
int is_proxy;
+ int disabled;
} SSLConnRec;
#define SSLConnLogApplies(sslconn, level) (sslconn->log_level >= level)
@@ -722,8 +723,11 @@
/* Proxy Support */
int ssl_proxy_enable(conn_rec *c);
+int ssl_engine_disable(conn_rec *c);
APR_DECLARE_OPTIONAL_FN(int, ssl_proxy_enable, (conn_rec *));
+
+APR_DECLARE_OPTIONAL_FN(int, ssl_engine_disable, (conn_rec *));
/* I/O */
void ssl_io_filter_init(conn_rec *, SSL *);
