You are viewing a plain text version of this content. The canonical link for it is here.
Posted to modules-dev@httpd.apache.org by Hardy Griech <nt...@mardys.de> on 2011/05/02 20:51:37 UTC
Re: mod_gnutls and mod_proxy (TLS termination)
On 29.04.2011 11:09, Ben Noordhuis wrote:
:
> Alternatively, compile Apache and mod_gnutls with -g -O0 and run it
> with `gdb --args httpd -X -e debug`. Put a breakpoint on the
> pre_connection hook and take it from there.
:
Thanks to your hints, I've now found the problematic line of code.
Originally it was:
if(c->remote_addr->hostname)
/* Connection initiated by Apache (mod_proxy) => ignore */
return OK;
Modifying it to :
if(c->remote_addr->hostname ||
apr_strnatcmp(c->remote_ip,c->local_ip) == 0) {
/* Connection initiated by Apache (mod_proxy) => ignore */
return OK;
}
solves the proxy issues.
Now my concern is, how can I reliably catch the condition that the
connection has been initiated by mod_proxy. Any ideas?
Hardy
Re: mod_gnutls and mod_proxy (TLS termination)
Posted by Ben Noordhuis <in...@bnoordhuis.nl>.
On Wed, May 4, 2011 at 17:50, Hardy Griech <nt...@mardys.de> wrote:
> Sorry, my fault. I focused on ssl_proxy_enable() which is not called in my
> case. ssl_engine_disable() does the job.
>
> So my problem is hopefully solved.
>
> Disadvantage of this solution is, that mod_ssl and mod_gnutls cannot be
> loaded simultaneously.
I think you can work around this by chaining the optional functions.
In your pre_config hook, look up and store the mod_ssl functions, then
register your own. Your functions do their thing when it's mod_gnutls
handling the connection and delegate to their mod_ssl counterparts
otherwise.
Re: mod_gnutls and mod_proxy (TLS termination)
Posted by Hardy Griech <nt...@mardys.de>.
On 03.05.2011 21:48, Ben Noordhuis wrote:
:
> Hardy, when and where are you registering your optional functions?
> mod_proxy looks them up in the post_config phase so they must have
> been registered by then. register_hooks is a good place for it.
:
Sorry, my fault. I focused on ssl_proxy_enable() which is not called in
my case. ssl_engine_disable() does the job.
So my problem is hopefully solved.
Disadvantage of this solution is, that mod_ssl and mod_gnutls cannot be
loaded simultaneously.
Many thanks again for your help, Ben.
Hardy
PS:
> Can you perhaps post or link to your code?
I hope, I will get my modifications into the official mod_gnutls source
Re: mod_gnutls and mod_proxy (TLS termination)
Posted by Ben Noordhuis <in...@bnoordhuis.nl>.
On Tue, May 3, 2011 at 21:10, Hardy Griech <nt...@mardys.de> wrote:
> On 03.05.2011 00:13, Ben Noordhuis wrote:
>>
>> On Mon, May 2, 2011 at 20:51, Hardy Griech<nt...@mardys.de> wrote:
>>>
>>> Now my concern is, how can I reliably catch the condition that the
>>> connection has been initiated by mod_proxy. Any ideas?
>>
>> r->proxyreq != PROXYREQ_NONE? Does 'initiated' mean 'request from an
>> external reverse proxy' or 'request handled by mod_proxy'?
>
> Sorry, I forgot to mention that the code is in the pre-connection hook. So
> no proxyreq available :-(
>
> Also my previous patch does not work, if the destination server is on
> another machine.
>
> Currently I'm checking (c->sbh == NULL) to detect the mod_proxy request
> (yes, I meant a mod_proxy request).
>
> In mod_ssl they seem to have a similar problem with mod_proxy: mod_proxy
> calls some mod_ssl functions (ssl_proxy_enable() and ssl_engine_disable())
> to signal a request handled by mod_proxy.
>
> I've tried to implement also these two functions - without success, they are
> never called also I've tried to register them just like mod_ssl does
> (mod_ssl is not loaded BTW).
Hardy, when and where are you registering your optional functions?
mod_proxy looks them up in the post_config phase so they must have
been registered by then. register_hooks is a good place for it.
Can you perhaps post or link to your code?
Re: mod_gnutls and mod_proxy (TLS termination)
Posted by Hardy Griech <nt...@mardys.de>.
On 03.05.2011 00:13, Ben Noordhuis wrote:
> On Mon, May 2, 2011 at 20:51, Hardy Griech<nt...@mardys.de> wrote:
>> Now my concern is, how can I reliably catch the condition that the
>> connection has been initiated by mod_proxy. Any ideas?
>
> r->proxyreq != PROXYREQ_NONE? Does 'initiated' mean 'request from an
> external reverse proxy' or 'request handled by mod_proxy'?
Sorry, I forgot to mention that the code is in the pre-connection hook.
So no proxyreq available :-(
Also my previous patch does not work, if the destination server is on
another machine.
Currently I'm checking (c->sbh == NULL) to detect the mod_proxy request
(yes, I meant a mod_proxy request).
In mod_ssl they seem to have a similar problem with mod_proxy: mod_proxy
calls some mod_ssl functions (ssl_proxy_enable() and
ssl_engine_disable()) to signal a request handled by mod_proxy.
I've tried to implement also these two functions - without success, they
are never called also I've tried to register them just like mod_ssl does
(mod_ssl is not loaded BTW).
Anyone has an idea how to correctly detect a proxy handled connection?
Thanks
Hardy
Re: mod_gnutls and mod_proxy (TLS termination)
Posted by Ben Noordhuis <in...@bnoordhuis.nl>.
On Mon, May 2, 2011 at 20:51, Hardy Griech <nt...@mardys.de> wrote:
> Now my concern is, how can I reliably catch the condition that the
> connection has been initiated by mod_proxy. Any ideas?
r->proxyreq != PROXYREQ_NONE? Does 'initiated' mean 'request from an
external reverse proxy' or 'request handled by mod_proxy'?