Re: SSL enabled name virtual hosts
Daniel Rogers wrote: However, this seems like an artifact of the config file data data organization and/or an apache implementation limitation, rather than a limitation on the protocol itself. I would just ignore the troll, but you have put the time into trying to think this through, so we repeat... ClientServer request handshake --> acknowledge handshake negotiate keys and credentials connection secure<-- complete handshake now encrypted... send headers (Host:) --> read headers, choose a virtual host read response<-- prepare response The client and server agreed upon a certificate before Host: was seen. No problem, right? Only issue is for the client, it thinks that example.com isn't example.net as recorded in the common name. We can't vary on Host: before we see Host:, and we won't see Host: till handshake is complete. Stop bitching about a 10 year old spec. It's trivial, use a modern browser (beyond today - none exist yet) that can do Connection-Upgrade and agree about the text of the headers before the ssl handshake is performed. The browser people haven't caught up, because it's a non-trivial problem to represent that the agreed-upon connection is secure to the user, or that a secure connection is available to be toggled, or whatever. These aren't https:// requests, they are http:// with extra semantics. Modern clients such as remote printing over http and neon/curl libraries already support it now, IIUC. As does httpd 2.2.
SSL enabled name virtual hosts
Hello all Pardon me for being dense. Also, I haven't searched the archives on this subject, the archive search page was down, so I hope I am not starting a flame by rehashing what I suspect could be a rather heated topic. I am not convinced by the argument that name based SSL virtual hosting is impossible. Yes. I understand that in order to understand your ssl configuration you need to pick a virtual host context. Since you don't have the hostname the server was requested as at the time of the SSL negotiation, you end up falling through to the default SSL host. However, this seems like an artifact of the config file data data organization and/or an apache implementation limitation, rather than a limitation on the protocol itself. For example: Suppose I wanted to mangle apache into doing something like name virtual hosting for SSL enabled clients. Here is how I envision this being possible: - Tell apache to listen on a new port (say, 444). - For the default first host on port 443, I create a script, which reads the http Host: header and then issues the exact same request on port 444 of the machine and echo's the output. - Now create name based virtual host definitions for port 444 anywhere you would like to have name based SSL virtual hosts. Granted, there are some pretty serious limitations with this design. For example: -you would probably only want port 444 available from local interfaces (which can be enforced with a firewall). -you can't create access rules based on ip address or ssl status from within apache. -You need to filter the response headers to keep up the facade, as it were. (for example, making sure you filter redirects to redirect to the proxy script and not what the virtual host thinks it is). -the named based virtual SSL hosts would effectively all have the same SSL certificate. This, however, can be dealt effectively and completely with the SubjectAltName field of the server cert. -numerous other issues with the documents you are serving being shown a different port number than is actually being served. This would have the effect that people are looking for. One ssl enabled host, which presents a different DocumentRoot based on the Host: http header. The code to do this would only be a few hundred lines in php or perl, if you rely on an already existing http request class. However, I don't see why this couldn't be implemented in apache, and remove all the limitations I mentioned above, except for the need for a certificate with a subjectAltName. For example, suppose you have a second name virtual host style configuration directive that looked something like: /all ssl options here/ Then, instead of picking a virtual host definition in order to be able to negotiate the SSL session, the SSLNameVirtualHost statement would have all that it needed to negotiate the SSL session, then, after the SSL session is negotiated, the virtual host definitions could be consulted for a suitable virtual host to serve to the client. This would allow the virtual host to define access controls again. This would also mean that it would be impossible to specify SSL options in a particular virtual SSL host definition, but I would certainly be willing to accept that limitation, especially compared to our choices now (and I bet others would as well). In fact, the fact that the ssl negotiation parameters have to be the same for all the name virtual hosts would be the only significant limitation. And because you can use subjectAltName to specify alternate hostnames in a SSL certificate will almost completely mitigate this limitation for most people. Is there any reason why this can't be implemented in apache? Again, to be clear, I made name based virtual ssl hosts work. The documentation says this is impossible. It is not. It would, however, work worlds better if implemented from within apache. -- Daniel Rogers [EMAIL PROTECTED]
Bug report for Apache httpd-2 [2006/03/06]
+---+ | Bugzilla Bug ID | | +-+ | | Status: UNC=Unconfirmed NEW=New ASS=Assigned| | | OPN=ReopenedVER=Verified(Skipped Closed/Resolved) | | | +-+ | | | Severity: BLK=Blocker CRI=CriticalMAJ=Major | | | | MIN=Minor NOR=Normal ENH=Enhancement | | | | +-+ | | | | Date Posted | | | | | +--+ | | | | | Description | | | | | | | | 7483|Ass|Enh|2002-03-26|Add FileAction directive to assign a cgi interpret| | 7741|Ass|Nor|2002-04-04|some directives may be placed outside of proper co| | 7862|New|Enh|2002-04-09|suexec never log a group name.| | 8483|Inf|Min|2002-04-24|apache_2.0 .msi installer breaks .log and .conf fi| | 8713|New|Min|2002-05-01|No Errorlog on PROPFIND/Depth:Infinity| | 8925|New|Cri|2002-05-09|Service Install (win32 .msi/.exe) fails for port i| | 9727|New|Min|2002-06-09|Double quotes should be flagged as T_HTTP_TOKEN_ST| | 9903|Opn|Maj|2002-06-16|mod_disk_cache does not remove temporary files| | 9945|New|Enh|2002-06-18|[PATCH] new funtionality for apache bench | |10114|Ass|Enh|2002-06-21|Negotiation gives no weight to order, only q value| |10154|Ass|Nor|2002-06-23|ApacheMonitor interferes with service uninstall/re| |10722|Opn|Nor|2002-07-12|ProxyPassReverse doesn't change cookie paths | |10775|Ass|Cri|2002-07-13|SCRIPT_NAME wrong value | |10932|Opn|Enh|2002-07-18|Allow Negative regex in LocationMatch | |11035|New|Min|2002-07-22|Apache adds double entries to headers generated by| |11294|New|Enh|2002-07-30|desired vhost_alias option| |11427|Opn|Maj|2002-08-02|Possible Memory Leak in CGI script invocation | |11540|Opn|Nor|2002-08-07|ProxyTimeout ignored | |11580|Opn|Enh|2002-08-09|generate Content-Location headers | |11971|Opn|Nor|2002-08-23|HTTP proxy header "Via" with wrong hostname if Ser| |11997|Opn|Maj|2002-08-23|Strange critical errors possibly related to mpm_wi| |12033|Opn|Nor|2002-08-26|Graceful restart immidiately result in [warn] long| |12340|Opn|Nor|2002-09-05|WindowsXP proxy, child process exited with status | |12680|New|Enh|2002-09-16|Digest authentication with integrity protection | |12885|New|Enh|2002-09-20|windows 2000 build information: mod_ssl, bison, et| |13029|New|Nor|2002-09-26|Win32 mod_cgi failure with non-ASCII characters in| |13101|Inf|Cri|2002-09-27|Using mod_ext_filter with mod_proxy and http/1.1 c| |13599|Ass|Nor|2002-10-14|autoindex formating broken for multibyte sequences| |13603|New|Nor|2002-10-14|incorrect DOCUMENT_URI in mod_autoindex with Heade| |13661|Ass|Enh|2002-10-15|Apache cannot not handle dynamic IP reallocation | |13946|Inf|Nor|2002-10-24|reverse proxy errors when a document expires from | |13986|Ass|Enh|2002-10-26|remove default MIME-type | |14016|Inf|Nor|2002-10-28|Problem when using mod_ext_filter with ActivePerl | |14090|New|Maj|2002-10-30|mod_cgid always writes to main server error log | |14104|Opn|Enh|2002-10-30|not documented: must restart server to load new CR| |14206|New|Nor|2002-11-04|DirectoryIndex circumvents -FollowSymLinks option | |14227|Ass|Nor|2002-11-04|Error handling script is not started (error 500) o| |14496|New|Enh|2002-11-13|Cannot upgrade 2.0.39 -> 2.0.43. Must uninstall fi| |14556|Inf|Nor|2002-11-14|mod_cache with mod_mem_cache enabled doesnt cash m| |14858|New|Enh|2002-11-26|mod_cache never caches responses for requests requ| |14922|Ass|Enh|2002-11-28| is currently hardcoded to 'apache2' | |15045|Ass|Nor|2002-12-04|addoutputfilterbytype doesn't work for defaulted t| |15233|Opn|Nor|2002-12-10|move AddType application/x-x509-ca-cert from ssl.c| |15235|New|Nor|2002-12-10|add application/x-x509-email-cert, application/x-x| |15625|New|Nor|2002-12-23|mention mod_ssl in http://nagoya.apache.org/dist/h| |15626|New|Nor|2002-12-23|mention which modules are part of the (binary) dis| |15631|New|Nor|2002-12-23|mention in httpd.conf that mod_ssl is not included| |15719|Inf|Nor|2002-12-30|WebDAV MOVE to destination URI which is content-ne| |15757|Opn|Nor|2003-01-02|Assumption of sizeof (void*)/int begin equal (64-b| |15857|Opn|Nor|2003-01-07|MUST handle "chunked" response with a 16385Byte-lo| |15859|Opn|Nor|2003-01-07|wrong Content-Length header is forwarded when de-c| |15861|New|Nor|
Bug report for Apache httpd-1.3 [2006/03/06]
+---+ | Bugzilla Bug ID | | +-+ | | Status: UNC=Unconfirmed NEW=New ASS=Assigned| | | OPN=ReopenedVER=Verified(Skipped Closed/Resolved) | | | +-+ | | | Severity: BLK=Blocker CRI=CriticalMAJ=Major | | | | MIN=Minor NOR=Normal ENH=Enhancement | | | | +-+ | | | | Date Posted | | | | | +--+ | | | | | Description | | | | | | | | 8329|New|Nor|2002-04-20|mime_magic gives 500 and no error_log on Microsoft| | 8372|Ass|Nor|2002-04-22|Threadsaftey issue in Rewrite's cache [Win32/OS2/N| | 8849|New|Nor|2002-05-07|make install errors as root on NFS shares | | 8882|New|Enh|2002-05-07|[PATCH] mod_rewrite communicates with external rew| | 9037|New|Min|2002-05-13|Slow performance when acessing an unresolved IP ad| | 9126|New|Blk|2002-05-15|68k-next-openstep v. 4.0 | | 9726|New|Min|2002-06-09|Double quotes should be flagged as T_HTTP_TOKEN_ST| | 9894|New|Maj|2002-06-16|getline sub in support progs collides with existin| | |New|Nor|2002-06-19|Incorrect default manualdir value with layout.| |10038|New|Min|2002-06-20|ab benchmaker hangs on 10K https URLs with keepali| |10073|New|Maj|2002-06-20|upgrade from 1.3.24 to 1.3.26 breaks include direc| |10169|New|Nor|2002-06-24|Apache seg faults due to attempt to access out of | |10178|New|Maj|2002-06-24|Proxy server cuts off begining of buffer when spec| |10195|New|Nor|2002-06-24|Configure script erroneously detects system Expat | |10199|New|Nor|2002-06-24|Configure can't handle directory names with unders| |10243|New|Maj|2002-06-26|CGI scripts not getting POST data | |10354|New|Nor|2002-06-30|ErrorDocument(.htaccess) fails when passed URL wit| |10446|Opn|Blk|2002-07-03|spaces in link to http server seen as foreign char| |10666|New|Enh|2002-07-10|line-end comment error message missing file name | |10744|New|Nor|2002-07-12|suexec might fail to open log file| |10747|New|Maj|2002-07-12|ftp SIZE command and 'smart' ftp servers results i| |10760|New|Maj|2002-07-12|empty ftp directory listings from cached ftp direc| |10939|New|Maj|2002-07-18|directory listing errors | |11020|New|Maj|2002-07-21|APXS only recognise tests made by ./configure | |11236|New|Min|2002-07-27|Possible Log exhaustion bug? | |11265|New|Blk|2002-07-29|mod_rewrite fails to encode special characters| |11765|New|Nor|2002-08-16|.apaci.install.tmp installs in existing httpd.conf| |11986|New|Nor|2002-08-23|Restart hangs when piping logs on rotation log pro| |12096|New|Nor|2002-08-27|apxs does not handle binary dists installed at non| |12574|New|Nor|2002-09-12|Broken images comes from mod_proxy when caching ww| |12583|New|Nor|2002-09-12|First piped log process do not handle SIGTERM | |12598|Opn|Maj|2002-09-12|Apache hanging in Keepalive State | |12770|Opn|Nor|2002-09-18|ErrorDocument fail redirecting error 400 | |13188|New|Nor|2002-10-02|does not configure correctly for hppa64-hp-hpux11.| |13274|Ass|Nor|2002-10-04|Subsequent requests are destroyed by the request e| |13607|Opn|Enh|2002-10-14|Catch-all enhancement for vhost_alias?| |13687|New|Min|2002-10-16|Leave Debug symbol on Darwin | |13822|New|Maj|2002-10-21|Problem while running Perl modules accessing CGI::| |14095|Opn|Nor|2002-10-30|Change default Content-Type (DefaultType) in defau| |14250|New|Maj|2002-11-05|Alternate UserDirs don't work intermittantly | |14443|New|Maj|2002-11-11|Keep-Alive randomly causes TCP RSTs | |14448|Opn|Cri|2002-11-11|Apache WebServer not starting if installed on Comp| |14518|Opn|Nor|2002-11-13|QUERY_STRING parts not incorporated by mod_rewrite| |14670|New|Cri|2002-11-19|Apache didn't deallocate unused memory| |14748|New|Nor|2002-11-21|Configure Can't find DBM on Mac OS X | |15011|New|Nor|2002-12-03|Apache processes not timing out on Solaris 8 | |15028|New|Maj|2002-12-03|RedirectMatch does not escape properly| |16013|Opn|Nor|2003-01-13|Fooling mod_autoindex + IndexIgnore | |16236|New|Maj|2003-01-18|Include directive in Apache is not parsed within c| |16241|New|Maj|2003-01-19|Apache processes takes 100% CPU until killed manua| |16492|New|Maj|2003-01-28|mod_proxy doesn't correctly retrieve values from C| |16493|
Should fastcgi be a proxy backend?
So, predictably, now that we've gotten mod_proxy_fcgi to the point where it's actualy able to run real applications I'm starting to question some basic assumptions we made when we started out along this course. The general idea was that we want to be able to get content from some fastcgi processes. That seems pretty similar to what mod_proxy_http does with other http servers, and mod_proxy_ajp with java app servers, and heck, since we're probably going to have lots of back end fastcgi processes it sure is cool that we've got that mod_proxy_balancer stuff to handle that part of the equation. It sure seems like a good idea, doesn't it? And at first glance it is, I mean it basically works, I can set up a balancer group with a bunch of back end fastcgi processes that I started up with the new fcgistarter program, and it'll pretty much do what we want. But there are some issues looming on the horizon. First of all, mod_proxy_balancer really assumes that you can make multiple connections to back end fastcgi processes at once. This may be true for some things that speak fastcgi (python programs that use flup to do it sure look like they'd work for that sort of thing, but I haven't really tried it yet), but in general the vast majority of fastcgi programs are single threaded, non-asynchronous, and are designed to process exactly one connection at a time. This is sort of a problem because mod_proxy_balancer doesn't actually have any mechanism for coordinating between the various httpd processes about who is using what backend process. Second, mod_proxy_balancer doesn't (seem to) have any real mechanism for adding back end processes on the fly, which is something that would be really nice to be able to do. I'd eventually love to be able to tell mod_proxy_fcgi that it should start up N back end processes at startup, and create up to M more if needed at any given time. Processes should be able to be killed off if they become nonresponsive (or probably after processing a certain number of requests), and they should NOT be bound up to a single httpd worker process. This all means that some kind of mechanism for coordinating access to and creation of back end processes needs to be created, and as it moves on it starts to feel less and less like this sort of functionality is generically useful to other back end fastcgi processes. Maybe I'm wrong about that though. Oh, and in order to do any of the really cool stuff we'll also have to rework the way mod_proxy handles arguments that are given to ProxyPass statements, so that they can be passed down to something other than either mod_proxy or mod_proxy_balancer. And even after we do that, we'll still be stuck in this situation where you end up with like a bazillion options on the end of each fastcgi ProxyPass, when really we'd want them to be per-balancer or per-directory or something like that. It just feels kinda clunky. Finally, I have to say that I'm starting to wonder what we're actually getting out of using the proxy framework for this. I mean all it's doing is creating some sockets for us, all the other stuff I just talked about pretty much needs to be implemented itself, and it's questionable whether any of it would be useful for something other than the fastcgi code. So is there some reason I'm missing that justifies staying within the proxy framework, cause I'm really tempted to just create a handler module that reuses most of the mod_proxy_fcgi code, since it sure feels like it'd be easier to write this stuff if I didn't have to shoehorn it into mod_proxy. -garrett
