Hello Ralf,
Hello Everyone,
I have just added a new feature to mod_ssl which gets around what was, in my
opinion, one of it's annoying little quirks. Basically, this new feature
allows one to create a VirtualHosts section which applies to the SSL and
non-SSL server on one IP address. Previously, one had to create two
VirtualHosts sections, one SSL and one not, which requires duplication of
all the configuration directive including logging directives. Duplication of
logging directives uses up double the file
descriptors and requires a ssl_access_log and a non-ssl_access_log.
The patch creates an additional directive "SSLOnlyOnPort" which tells the
mod_ssl engine to only serve incoming connections on the specified port as
SSL. Connections on other ports, even though the VirtualHost has SSL
enabled, are treated as non-SSL connections.
Here is an example configuration:
-----
Listen 209.70.72.155:80
Listen 209.70.72.155:443
<VirtualHost 209.70.72.155:*>
ServerAdmin [EMAIL PROTECTED]
ServerName www.westegg.com
DocumentRoot /web/4/morgan
ErrorLog /web/4/_admin/morgan/logs/error_log
TransferLog /web/4/_admin/morgan/logs/transfer_log
SSLEngine on
SSLCertificateKeyFile /web/4/_admin/morgan/ssl/www.westegg.com.key
SSLCertificateFile /web/4/_admin/morgan/ssl/www.westegg.com.crt
SSLOnlyOnPort 443
SSLLog /web/4/_admin/morgan/logs/ssl_log
SSLLogLevel trace
</VirtualHost>
-----
Notice how the first three lines make this VirtualHost section grab the SSL
and non-SSL ports on 209.70.72.155. Then the "SSLOnlyOnPort 443" line tells
the mod_ssl engine to only treat connections on port 443 as SSL. Therefore,
connections to 209.70.72.155:80 are non-SSL and connections to
209.70.72.155:443 are handled as SSL -- all with one VirtualHosts section.
This patch is to mod_ssl-2.1.6-1.3.3 and is included after my .sig file.
Since I just know my mailer will word wrap this, you can also get it at:
http://www.davideous.com/misc/pkg.sslmod.diff
- David Harris
Principal Engineer, DRH Internet Services
diff -u pkg.sslmod.orig/mod_ssl.c pkg.sslmod/mod_ssl.c
--- pkg.sslmod.orig/mod_ssl.c Sat Jan 2 11:44:55 1999
+++ pkg.sslmod/mod_ssl.c Fri Jan 8 06:33:22 1999
@@ -123,6 +123,9 @@
AP_SRV_CMD(LogLevel, TAKE1,
"SSL logfile verbosity level "
"(`none', `error', `warn', `info', `debug')")
+ AP_SRV_CMD(OnlyOnPort, TAKE1,
+ "SSL port for this virtual host"
+ "(`N' - number of SSL port)")
/*
* Per-directory context configuration directives
diff -u pkg.sslmod.orig/mod_ssl.h pkg.sslmod/mod_ssl.h
--- pkg.sslmod.orig/mod_ssl.h Wed Jan 6 10:30:04 1999
+++ pkg.sslmod/mod_ssl.h Fri Jan 8 06:34:21 1999
@@ -459,6 +459,7 @@
int nSessionCacheTimeout;
int nPassPhraseDialogType;
char *szPassPhraseDialogPath;
+ int nOnlyOnPort;
} SSLSrvConfigRec;
/*
@@ -501,6 +502,7 @@
const char *ssl_cmd_SSLSessionCacheTimeout(cmd_parms *, char *, char *);
const char *ssl_cmd_SSLLog(cmd_parms *, char *, char *);
const char *ssl_cmd_SSLLogLevel(cmd_parms *, char *, char *);
+const char *ssl_cmd_SSLOnlyOnPort(cmd_parms *, char *, char *);
const char *ssl_cmd_SSLOptions(cmd_parms *, SSLDirConfigRec *, const char
*);
const char *ssl_cmd_SSLRequireSSL(cmd_parms *, SSLDirConfigRec *, char *);
const char *ssl_cmd_SSLRequire(cmd_parms *, SSLDirConfigRec *, char *);
diff -u pkg.sslmod.orig/ssl_engine_config.c pkg.sslmod/ssl_engine_config.c
--- pkg.sslmod.orig/ssl_engine_config.c Sat Jan 2 11:51:41 1999
+++ pkg.sslmod/ssl_engine_config.c Fri Jan 8 06:36:26 1999
@@ -156,6 +156,7 @@
sc->nSessionCacheTimeout = UNSET;
sc->nPassPhraseDialogType = SSL_PPTYPE_UNSET;
sc->szPassPhraseDialogPath = NULL;
+ sc->nOnlyOnPort = NULL;
sc->fileLogFile = NULL;
sc->px509Certificate = NULL;
@@ -187,6 +188,7 @@
cfgMergeInt(nSessionCacheTimeout);
cfgMerge(nPassPhraseDialogType, SSL_PPTYPE_UNSET);
cfgMergeString(szPassPhraseDialogPath);
+ cfgMergeInt(nOnlyOnPort);
cfgMerge(fileLogFile, NULL);
cfgMerge(px509Certificate, NULL);
@@ -477,6 +479,17 @@
sc->nLogLevel = SSL_LOG_DEBUG;
else
return "SSLLogLevel: Invalid argument";
+ return NULL;
+}
+
+const char *ssl_cmd_SSLOnlyOnPort(
+ cmd_parms *cmd, char *struct_ptr, char *arg)
+{
+ SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
+
+ sc->nOnlyOnPort = atoi(arg);
+ if (sc->nOnlyOnPort < 0)
+ return "SSLOnlyOnPort: Invalid argument";
return NULL;
}
diff -u pkg.sslmod.orig/ssl_engine_kernel.c pkg.sslmod/ssl_engine_kernel.c
--- pkg.sslmod.orig/ssl_engine_kernel.c Wed Jan 6 10:22:16 1999
+++ pkg.sslmod/ssl_engine_kernel.c Fri Jan 8 06:43:37 1999
@@ -133,6 +133,7 @@
SSL *ssl;
char *cp;
int rc;
+ unsigned port;
/*
* Get context
@@ -140,6 +141,7 @@
srvr = conn->server;
fb = conn->client;
sc = mySrvConfig(srvr);
+ port = ntohs(conn->local_addr.sin_port);
/*
* Create SSL context
@@ -152,6 +154,13 @@
*/
if (sc == NULL || !sc->bEnabled)
return;
+
+ if (sc->nOnlyOnPort && sc->nOnlyOnPort != port)
+ {
+ ssl_log(srvr, SSL_LOG_INFO, "Connection to child %d on port %d set
non-SSL by OnlyOnPort (server %s:%d)",
+ conn->child_num, port, srvr->server_hostname, srvr->port);
+ return;
+ }
/*
* Remember the connection information for
______________________________________________________________________
Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/
Official Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
