You are viewing a plain text version of this content. The canonical link for it is here.

Posted to modules-dev@httpd.apache.org by Michael Sløgedal <mi...@dots.no> on 2017/03/30 15:20:14 UTC

mod_ssl custom vhost module

Hi,

I have a custom vhost module using ap_hook_translate_name and sql lookup. This is enabled through a single VirtualHost section in config.

Now I need to add ssl certificates with SNI on selected sites / domains. What's the best way to go about this?

I looked a little on the mod_ssl source code, and it seems it does a lot of preprocessing on config stage, and relies on a combination of VirtualHost and ServerName / Alias directives.
I suppose this means that mod_ssl wouldn't work with grabbing certificates based on a path stored in sql on-the-fly.

So, what's the best way to approach this?

Do I hook into config processing In my vhost module and generate "fake" virtualhost entries based on database data? The minus here is I can't make changes in db without reloading httpd config.

Or, do I edit mod_ssl to check sql in addition to virtualhosts, and read / prepare a certificate context on the fly? Maybe cache these for next time the same domain is requested?

Or something completely different ? :)

To sum up:

Database Table (Domain varchar, DocumentRoot varchar, CertificatePath varchar, KeyPath varchar)

No <VirtualHost> section per domain/site.

Need my mod_custom_vhost or mod_ssl to check this table for certificates and add to list processed by mod_ssl during SNI.

--
Best regards,

Michael

Re: mod_ssl custom vhost module

Posted by Nick Kew <ni...@apache.org>.

On Thu, 2017-03-30 at 15:20 +0000, Michael Sl�gedal wrote:

> I looked a little on the mod_ssl source code, and it seems it does a lot of preprocessing on config stage, and relies on a combination of VirtualHost and ServerName / Alias directives.
> I suppose this means that mod_ssl wouldn't work with grabbing certificates based on a path stored in sql on-the-fly.

I'm not familiar with the murky recesses of mod_ssl.  But if I've
understood you aright, I think a good startingpoint would be to
see if you can hook something in to connection processing, that'll
in turn run something ahead of mod_ssl getting in to a connection.

Not sure if that actually leads anywhere useful.  Just a thought,
if you haven't already tried it.  Your main problem is that you
have a hack that shoehorns vhosts in where they don't belong.

-- 
Nick Kew