On 14 Mar 2016, at 11:01 AM, Yann Ylavic <ylavic....@gmail.com> wrote:
>> The following patch provides support for TCP proxying to httpd. >> >> It consists of the following three parts: >> >> - mod_tcp: Allows the frontend to receive pure TCP connections > > It looks like this module is only needed to remove HTTP filters from the > chain. > Is the goal to have this core module instead of mod_http and make the > latter dynamic? Hmmm - good point. What we need next is a proper protocol handling mechanism to efficiently determine the protocol in use on the connection, the same way we can efficiently determine the HTTP method. Once we have that the core can be free of HTTP modules and we can just use the mod_tcp process_connection() handler. >> - mod_proxy_tcp: Allows the proxy to make pure tcp or tls connections to a >> backend > > Thanks, this will be very useful. > >> - mod_ssl_tcp: Allows the proxy to route incoming connections based on the >> SNI header (tlsext) > > Hmm, isn't mod_ssl (underlying-)protocol agnostic? > Why couldn't it be used as-is (or adapted), and avoid code duplication? It was like that to start with, but I split it all out so it could stand alone. I see the value of mod_ssl just having this as an extra input filter, will simplify this. >> In the following example config, incoming TCP connections are routed based >> on their SNI (the tlsext protocol) to given backend servers, which then >> complete the SSL connections as raw tunnels. >> >> This allows you to use client certificates through the httpd proxy balancer >> all the way to the backend server without the proxy terminating any SSL >> along the way. >> >> <VirtualHost localhost:9000> >> Protocol tlsext > > Maybe "tcps"? I agree that SNI extension is needed, but "tlsext" looks > confusing. The “tlsext” refers to the TLS extentions which are parsed to determine what the client is trying to talk to. These extensions are SNI and APLN (not yet supported but would be great if we could). “tcps” implies “tcp over ssl”, which we already can do - just turn on SSLEnable. Regards, Graham —
