On Wed, Apr 13, 2016 at 7:49 PM, Rainer Jung <rainer.j...@kippdata.de> wrote: > Am 13.04.2016 um 17:04 schrieb Graham Leggett: >> >> The catch is that mod_ssl forces us to declare SSL certs and keys server >> wide, not per directory, loaded and parsed at startup. We however want to >> specify certs per directory. > > Per directory or better in some new way per proxy backend (or proxy worker, > proxy balancer).
IIUC, the <Proxy> block is a per_dir context already, which can/could accept any directive provided their ap_check_cmd_context() allows it (we may need to declare a new PROXY_CONF). So how about making per_dir SSLProxy* directives, restricted to server and <proxy> context? This would let the loading (and validation) work like currently, mod_ssl could still do its standalone post_config stuff (server AND per_dir wise). At runtime, proxy_walk() would still do the merging (there may be same SSLProxy* in both <VirtualHost> and <Proxy> which need merging, but that would be a single one since we restrict those directives to server and <proxy> context). Finally, if ssl_proxy_enable[_ex]() is given r->per_dir_config, it could initialize the backend connection with the right context. Wouldn't that work without so many changes?