You are viewing a plain text version of this content. The canonical link for it is here.
Posted to modules-dev@httpd.apache.org by Michael Sløgedal <mi...@dots.no> on 2017/03/30 15:20:14 UTC
mod_ssl custom vhost module
Hi,
I have a custom vhost module using ap_hook_translate_name and sql lookup. This is enabled through a single VirtualHost section in config.
Now I need to add ssl certificates with SNI on selected sites / domains. What's the best way to go about this?
I looked a little on the mod_ssl source code, and it seems it does a lot of preprocessing on config stage, and relies on a combination of VirtualHost and ServerName / Alias directives.
I suppose this means that mod_ssl wouldn't work with grabbing certificates based on a path stored in sql on-the-fly.
So, what's the best way to approach this?
Do I hook into config processing In my vhost module and generate "fake" virtualhost entries based on database data? The minus here is I can't make changes in db without reloading httpd config.
Or, do I edit mod_ssl to check sql in addition to virtualhosts, and read / prepare a certificate context on the fly? Maybe cache these for next time the same domain is requested?
Or something completely different ? :)
To sum up:
Database Table (Domain varchar, DocumentRoot varchar, CertificatePath varchar, KeyPath varchar)
No <VirtualHost> section per domain/site.
Need my mod_custom_vhost or mod_ssl to check this table for certificates and add to list processed by mod_ssl during SNI.
--
Best regards,
Michael
Re: mod_ssl custom vhost module
Posted by Nick Kew <ni...@apache.org>.
On Thu, 2017-03-30 at 15:20 +0000, Michael Sl�gedal wrote:
> I looked a little on the mod_ssl source code, and it seems it does a lot of preprocessing on config stage, and relies on a combination of VirtualHost and ServerName / Alias directives.
> I suppose this means that mod_ssl wouldn't work with grabbing certificates based on a path stored in sql on-the-fly.
I'm not familiar with the murky recesses of mod_ssl. But if I've
understood you aright, I think a good startingpoint would be to
see if you can hook something in to connection processing, that'll
in turn run something ahead of mod_ssl getting in to a connection.
Not sure if that actually leads anywhere useful. Just a thought,
if you haven't already tried it. Your main problem is that you
have a hack that shoehorns vhosts in where they don't belong.
--
Nick Kew