You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by yl...@apache.org on 2017/10/23 14:58:44 UTC
svn commit: r1813026 [2/2] - in /httpd/httpd: branches/2.4.x/STATUS
patches/2.4.x/httpd-2.4.x-r1740928_and_co-v5.patch
Added: httpd/httpd/patches/2.4.x/httpd-2.4.x-r1740928_and_co-v5.patch
URL: http://svn.apache.org/viewvc/httpd/httpd/patches/2.4.x/httpd-2.4.x-r1740928_and_co-v5.patch?rev=1813026&view=auto
==============================================================================
--- httpd/httpd/patches/2.4.x/httpd-2.4.x-r1740928_and_co-v5.patch (added)
+++ httpd/httpd/patches/2.4.x/httpd-2.4.x-r1740928_and_co-v5.patch Mon Oct 23 14:58:44 2017
@@ -0,0 +1,2460 @@
+Merge r1740928, r1740960, r1740967, r1740987, r1740998, r1742697, r1756976, r1781313, r1812193 from trunk:
+
+mod_proxy, mod_ssl: Handle SSLProxy* directives in <Proxy> sections,
+allowing per backend TLS configuration.
+
+
+Follow up to r1740928: better CHANGES entry.
+
+
+Follow up to r1740928: update docs (contexts) and minor MMN.
+
+
+Follow up to r1740928, r1740967: Introduce 'proxy section' context?
+
+
+Follow up to r1740928, r1740987: fix 'proxy section'.
+
+
+Follow up to r1740928: mod_ssl.h now needs http_config.h
+
+
+mod_ssl: follow up to r1740928.
+Quiet (not so )clever compilers about (im)possible use of uninitialized 'mode'.
+
+
+mod_ssl: follow up to r1740928: fix memory leaks from merged proxy_ctx.
+
+
+Follow up to r1740928: including NOT_IN_PROXY in NOT_IN_DIR_LOC_FILE is both
+incomplete and not backportable, fix it by introducing NOT_IN_DIR_CONTEXT and
+restoring NOT_IN_DIR_LOC_FILE to its previous value.
+
+Per ap_check_cmd_context(), NOT_IN_DIR_LOC_FILE actually/really means "not in
+any directory context", while the definition itself does not include all the
+existing directory contexts (e.g. <Limit>, or <Proxy> before r1740928).
+
+This is a bit of a misnomer, at least, so instead of (ab)using it by adding the
+missing contexts (in an incompatible way), let's define NOT_IN_DIR_CONTEXT to
+really exclude all directory context (i.e. NOT_IN_DIR_LOC_FILE + NOT_IN_LIMIT +
+NOT_IN_PROXY) and use it wherever NOT_IN_DIR_LOC_FILE was used.
+
+This is by itself a major MMN bump (modules not compiled with this commit and
+having directives checked against NOT_IN_DIR_LOC_FILE won't be caught the same
+way by NOT_IN_DIR_CONTEXT in the new ap_check_cmd_context() code), but with the
+below change, 2.4.x should work as before:
+
+- if ((forbidden & NOT_IN_DIR_CONTEXT) == NOT_IN_DIR_CONTEXT) {
++ if ((forbidden & NOT_IN_DIR_LOC_FILE) == NOT_IN_DIR_LOC_FILE) {
+ if (cmd->path != NULL) {
+ return apr_pstrcat(cmd->pool, cmd->cmd->name, gt,
+- " cannot occur within directory context", NULL);
++ " cannot occur within <Directory/Location/Files/Proxy> "
++ "section", NULL);
+ }
+ ...
+ }
+
+
+Proposed by: ylavic
+Reviewed by: ylavic,
+
+Index: CHANGES
+===================================================================
+--- CHANGES (revision 1813018)
++++ CHANGES (working copy)
+@@ -1,6 +1,8 @@
+ -*- coding: utf-8 -*-
+ Changes with Apache 2.4.30
+
++ *) mod_proxy, mod_ssl: Handle SSLProxy* directives in <Proxy> sections,
++ allowing per backend TLS configuration. [Yann Ylavic]
+
+ Changes with Apache 2.4.29
+
+Index: docs/manual/mod/mod_ssl.xml
+===================================================================
+--- docs/manual/mod/mod_ssl.xml (revision 1813018)
++++ docs/manual/mod/mod_ssl.xml (working copy)
+@@ -1740,7 +1740,8 @@ SSLStrictSNIVHostCheck on
+ <name>SSLProxyMachineCertificatePath</name>
+ <description>Directory of PEM-encoded client certificates and keys to be used by the proxy</description>
+ <syntax>SSLProxyMachineCertificatePath <em>directory</em></syntax>
+-<contextlist><context>server config</context></contextlist>
++<contextlist><context>server config</context> <context>virtual host</context>
++<context>proxy section</context></contextlist>
+ <override>Not applicable</override>
+
+ <usage>
+@@ -1768,7 +1769,8 @@ SSLProxyMachineCertificatePath "/usr/local/apache2
+ <name>SSLProxyMachineCertificateFile</name>
+ <description>File of concatenated PEM-encoded client certificates and keys to be used by the proxy</description>
+ <syntax>SSLProxyMachineCertificateFile <em>filename</em></syntax>
+-<contextlist><context>server config</context></contextlist>
++<contextlist><context>server config</context> <context>virtual host</context>
++<context>proxy section</context></contextlist>
+ <override>Not applicable</override>
+
+ <usage>
+@@ -1796,7 +1798,8 @@ SSLProxyMachineCertificateFile "/usr/local/apache2
+ <name>SSLProxyMachineCertificateChainFile</name>
+ <description>File of concatenated PEM-encoded CA certificates to be used by the proxy for choosing a certificate</description>
+ <syntax>SSLProxyMachineCertificateChainFile <em>filename</em></syntax>
+-<contextlist><context>server config</context></contextlist>
++<contextlist><context>server config</context> <context>virtual host</context>
++<context>proxy section</context></contextlist>
+ <override>Not applicable</override>
+
+ <usage>
+@@ -1829,8 +1832,9 @@ SSLProxyMachineCertificateChainFile "/usr/local/ap
+ <description>Type of remote server Certificate verification</description>
+ <syntax>SSLProxyVerify <em>level</em></syntax>
+ <default>SSLProxyVerify none</default>
+-<contextlist><context>server config</context>
+-<context>virtual host</context> </contextlist>
++<contextlist><context>server config</context> <context>virtual host</context>
++<context>proxy section</context></contextlist>
++<override>Not applicable</override>
+
+ <usage>
+
+@@ -1869,8 +1873,9 @@ SSLProxyVerify require
+ Certificate verification</description>
+ <syntax>SSLProxyVerifyDepth <em>number</em></syntax>
+ <default>SSLProxyVerifyDepth 1</default>
+-<contextlist><context>server config</context>
+-<context>virtual host</context> </contextlist>
++<contextlist><context>server config</context> <context>virtual host</context>
++<context>proxy section</context></contextlist>
++<override>Not applicable</override>
+
+ <usage>
+ <p>
+@@ -1898,8 +1903,9 @@ SSLProxyVerifyDepth 10
+ </description>
+ <syntax>SSLProxyCheckPeerExpire on|off</syntax>
+ <default>SSLProxyCheckPeerExpire on</default>
+-<contextlist><context>server config</context>
+-<context>virtual host</context></contextlist>
++<contextlist><context>server config</context> <context>virtual host</context>
++<context>proxy section</context></contextlist>
++<override>Not applicable</override>
+
+ <usage>
+ <p>
+@@ -1921,8 +1927,9 @@ SSLProxyCheckPeerExpire on
+ </description>
+ <syntax>SSLProxyCheckPeerCN on|off</syntax>
+ <default>SSLProxyCheckPeerCN on</default>
+-<contextlist><context>server config</context>
+-<context>virtual host</context></contextlist>
++<contextlist><context>server config</context> <context>virtual host</context>
++<context>proxy section</context></contextlist>
++<override>Not applicable</override>
+
+ <usage>
+ <p>
+@@ -1965,8 +1972,9 @@ SSLProxyCheckPeerName off
+ </description>
+ <syntax>SSLProxyCheckPeerName on|off</syntax>
+ <default>SSLProxyCheckPeerName on</default>
+-<contextlist><context>server config</context>
+-<context>virtual host</context></contextlist>
++<contextlist><context>server config</context> <context>virtual host</context>
++<context>proxy section</context></contextlist>
++<override>Not applicable</override>
+ <compatibility>Apache HTTP Server 2.4.5 and later</compatibility>
+
+ <usage>
+@@ -2004,8 +2012,9 @@ improvements.
+ <description>SSL Proxy Engine Operation Switch</description>
+ <syntax>SSLProxyEngine on|off</syntax>
+ <default>SSLProxyEngine off</default>
+-<contextlist><context>server config</context>
+-<context>virtual host</context></contextlist>
++<contextlist><context>server config</context> <context>virtual host</context>
++<context>proxy section</context></contextlist>
++<override>Not applicable</override>
+
+ <usage>
+ <p>
+@@ -2038,9 +2047,9 @@ server to proxy SSL/TLS requests.</p>
+ <description>Configure usable SSL protocol flavors for proxy usage</description>
+ <syntax>SSLProxyProtocol [+|-]<em>protocol</em> ...</syntax>
+ <default>SSLProxyProtocol all -SSLv3 (up to 2.4.16: all)</default>
+-<contextlist><context>server config</context>
+-<context>virtual host</context></contextlist>
+-<override>Options</override>
++<contextlist><context>server config</context> <context>virtual host</context>
++<context>proxy section</context></contextlist>
++<override>Not applicable</override>
+
+ <usage>
+ <!-- XXX Why does this have an override and not .htaccess context? -->
+@@ -2060,11 +2069,10 @@ for additional information.
+ proxy handshake</description>
+ <syntax>SSLProxyCipherSuite <em>cipher-spec</em></syntax>
+ <default>SSLProxyCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+EXP</default>
+-<contextlist><context>server config</context>
+-<context>virtual host</context>
+-<context>directory</context>
+-<context>.htaccess</context></contextlist>
+-<override>AuthConfig</override>
++<contextlist><context>server config</context> <context>virtual host</context>
++<context>proxy section</context></contextlist>
++<override>Not applicable</override>
++
+ <usage>
+ <p>Equivalent to <directive module="mod_ssl">SSLCipherSuite</directive>, but
+ for the proxy connection.
+@@ -2078,8 +2086,9 @@ for additional information.</p>
+ <description>Directory of PEM-encoded CA Certificates for
+ Remote Server Auth</description>
+ <syntax>SSLProxyCACertificatePath <em>directory-path</em></syntax>
+-<contextlist><context>server config</context>
+-<context>virtual host</context></contextlist>
++<contextlist><context>server config</context> <context>virtual host</context>
++<context>proxy section</context></contextlist>
++<override>Not applicable</override>
+
+ <usage>
+ <p>
+@@ -2105,8 +2114,9 @@ SSLProxyCACertificatePath "/usr/local/apache2/conf
+ <description>File of concatenated PEM-encoded CA Certificates
+ for Remote Server Auth</description>
+ <syntax>SSLProxyCACertificateFile <em>file-path</em></syntax>
+-<contextlist><context>server config</context>
+-<context>virtual host</context></contextlist>
++<contextlist><context>server config</context> <context>virtual host</context>
++<context>proxy section</context></contextlist>
++<override>Not applicable</override>
+
+ <usage>
+ <p>
+@@ -2129,8 +2139,9 @@ SSLProxyCACertificateFile "/usr/local/apache2/conf
+ <description>Directory of PEM-encoded CA CRLs for
+ Remote Server Auth</description>
+ <syntax>SSLProxyCARevocationPath <em>directory-path</em></syntax>
+-<contextlist><context>server config</context>
+-<context>virtual host</context></contextlist>
++<contextlist><context>server config</context> <context>virtual host</context>
++<context>proxy section</context></contextlist>
++<override>Not applicable</override>
+
+ <usage>
+ <p>
+@@ -2156,8 +2167,9 @@ SSLProxyCARevocationPath "/usr/local/apache2/conf/
+ <description>File of concatenated PEM-encoded CA CRLs for
+ Remote Server Auth</description>
+ <syntax>SSLProxyCARevocationFile <em>file-path</em></syntax>
+-<contextlist><context>server config</context>
+-<context>virtual host</context></contextlist>
++<contextlist><context>server config</context> <context>virtual host</context>
++<context>proxy section</context></contextlist>
++<override>Not applicable</override>
+
+ <usage>
+ <p>
+@@ -2181,8 +2193,9 @@ SSLProxyCARevocationFile "/usr/local/apache2/conf/
+ <description>Enable CRL-based revocation checking for Remote Server Auth</description>
+ <syntax>SSLProxyCARevocationCheck chain|leaf|none</syntax>
+ <default>SSLProxyCARevocationCheck none</default>
+-<contextlist><context>server config</context>
+-<context>virtual host</context></contextlist>
++<contextlist><context>server config</context> <context>virtual host</context>
++<context>proxy section</context></contextlist>
++<override>Not applicable</override>
+
+ <usage>
+ <p>
+Index: docs/manual/style/lang/en.xml
+===================================================================
+--- docs/manual/style/lang/en.xml (revision 1813018)
++++ docs/manual/style/lang/en.xml (working copy)
+@@ -97,6 +97,7 @@
+ <message id="virtualhost" letter="v">virtual host</message>
+ <message id="directory" letter="d">directory</message>
+ <message id="htaccess" letter="h">.htaccess</message>
++ <message id="proxy" letter="p">proxy section</message>
+
+ <!-- Used for directive lists -->
+ <message id="directives">Directives</message>
+Index: docs/manual/style/latex/quickreference.xsl
+===================================================================
+--- docs/manual/style/latex/quickreference.xsl (revision 1813018)
++++ docs/manual/style/latex/quickreference.xsl (working copy)
+@@ -105,6 +105,10 @@
+ [normalize-space(.)='.htaccess']">
+ <xsl:value-of select="$message[@id='htaccess']/@letter"/>
+ </xsl:if>
++ <xsl:if test="contextlist/context
++ [normalize-space(.)='proxy section']">
++ <xsl:value-of select="$message[@id='proxy']/@letter"/>
++ </xsl:if>
+
+ <xsl:text>&</xsl:text>
+ <xsl:variable name="status" select="translate(
+Index: docs/manual/style/latex/synopsis.xsl
+===================================================================
+--- docs/manual/style/latex/synopsis.xsl (revision 1813018)
++++ docs/manual/style/latex/synopsis.xsl (working copy)
+@@ -326,6 +326,9 @@
+ <xsl:when test="normalize-space(.) = '.htaccess'">
+ <xsl:value-of select="$message[@id='htaccess']" />
+ </xsl:when>
++<xsl:when test="normalize-space(.) = 'proxy section'">
++ <xsl:value-of select="$message[@id='proxy']" />
++</xsl:when>
+ <xsl:otherwise> <!-- error -->
+ <xsl:message terminate="yes">
+ unknown context: <xsl:value-of select="." />
+Index: docs/manual/style/xsl/quickreference.xsl
+===================================================================
+--- docs/manual/style/xsl/quickreference.xsl (revision 1813018)
++++ docs/manual/style/xsl/quickreference.xsl (working copy)
+@@ -117,6 +117,16 @@
+ select="$message[@id='htaccess']"/>
+ </td>
+ </tr>&lf;
++ <tr>
++ <th>
++ <xsl:value-of
++ select="$message[@id='proxy']/@letter"/>
++ </th>
++ <td>
++ <xsl:value-of
++ select="$message[@id='proxy']"/>
++ </td>
++ </tr>&lf;
+ </table>
+ </td>&lf;
+ <td>
+@@ -349,6 +359,10 @@
+ [normalize-space(.)='.htaccess']">
+ <xsl:value-of select="$message[@id='htaccess']/@letter"/>
+ </xsl:if>
++ <xsl:if test="$directive/contextlist/context
++ [normalize-space(.)='proxy section']">
++ <xsl:value-of select="$message[@id='proxy']/@letter"/>
++ </xsl:if>
+ </td>
+ <td>
+ <xsl:choose>
+Index: docs/manual/style/xsl/synopsis.xsl
+===================================================================
+--- docs/manual/style/xsl/synopsis.xsl (revision 1813018)
++++ docs/manual/style/xsl/synopsis.xsl (working copy)
+@@ -608,6 +608,9 @@
+ <xsl:when test="normalize-space(.) = '.htaccess'">
+ <xsl:value-of select="$message[@id='htaccess']" />
+ </xsl:when>
++<xsl:when test="normalize-space(.) = 'proxy section'">
++ <xsl:value-of select="$message[@id='proxy']" />
++</xsl:when>
+ <xsl:otherwise> <!-- error -->
+ <xsl:message terminate="yes">
+ unknown context: <xsl:value-of select="." />
+Index: docs/manual
+===================================================================
+--- docs/manual (revision 1813018)
++++ docs/manual (working copy)
+
+Property changes on: docs/manual
+___________________________________________________________________
+Modified: svn:mergeinfo
+## -0,0 +0,1 ##
+ Merged /httpd/httpd/trunk/docs/manual:r1740928,1740960,1740967,1740987,1740998,1742697,1756976,1781313,1812193
+Index: include/ap_mmn.h
+===================================================================
+--- include/ap_mmn.h (revision 1813018)
++++ include/ap_mmn.h (working copy)
+@@ -496,6 +496,12 @@
+ * to ap_[r]getline()
+ * 20120211.68 (2.4.26-dev) Add ap_get_basic_auth_components() and deprecate
+ * ap_get_basic_auth_pw()
++ * 20120211.69 (2.4.26-dev) Add optional proxy_{hook,run}_section_post_config(),
++ * ap_proxy_connection_create_ex() and section_config
++ * to struct proxy_{worker,balancer} in mod_proxy.h,
++ * and optional ssl_engine_set() to mod_ssl.h.
++ * 20120211.70 (2.4.26-dev) Add NOT_IN_DIR_CONTEXT replacing NOT_IN_DIR_LOC_FILE
++ * semantics
+ */
+
+ #define MODULE_MAGIC_COOKIE 0x41503234UL /* "AP24" */
+@@ -503,7 +509,7 @@
+ #ifndef MODULE_MAGIC_NUMBER_MAJOR
+ #define MODULE_MAGIC_NUMBER_MAJOR 20120211
+ #endif
+-#define MODULE_MAGIC_NUMBER_MINOR 68 /* 0...n */
++#define MODULE_MAGIC_NUMBER_MINOR 70 /* 0...n */
+
+ /**
+ * Determine if the server's current MODULE_MAGIC_NUMBER is at least a
+Index: include/http_config.h
+===================================================================
+--- include/http_config.h (revision 1813018)
++++ include/http_config.h (working copy)
+@@ -249,6 +249,8 @@ struct command_struct {
+ #define NONFATAL_UNKNOWN 1024 /* Unrecognised directive */
+ #define NONFATAL_ALL (NONFATAL_OVERRIDE|NONFATAL_UNKNOWN)
+
++#define PROXY_CONF 2048 /**< *.conf inside <Proxy> only */
++
+ /** this directive can be placed anywhere */
+ #define OR_ALL (OR_LIMIT|OR_OPTIONS|OR_FILEINFO|OR_AUTHCFG|OR_INDEXES)
+
+@@ -920,10 +922,13 @@ AP_DECLARE(const char *) ap_check_cmd_context(cmd_
+ #define NOT_IN_LOCATION 0x08 /**< Forbidden in <Location> */
+ #define NOT_IN_FILES 0x10 /**< Forbidden in <Files> or <If>*/
+ #define NOT_IN_HTACCESS 0x20 /**< Forbidden in .htaccess files */
++#define NOT_IN_PROXY 0x40 /**< Forbidden in <Proxy> */
+ /** Forbidden in <Directory>/<Location>/<Files><If>*/
+ #define NOT_IN_DIR_LOC_FILE (NOT_IN_DIRECTORY|NOT_IN_LOCATION|NOT_IN_FILES)
+-/** Forbidden in <VirtualHost>/<Limit>/<Directory>/<Location>/<Files>/<If> */
+-#define GLOBAL_ONLY (NOT_IN_VIRTUALHOST|NOT_IN_LIMIT|NOT_IN_DIR_LOC_FILE)
++/** Forbidden in <Directory>/<Location>/<Files><If><Proxy>*/
++#define NOT_IN_DIR_CONTEXT (NOT_IN_LIMIT|NOT_IN_DIR_LOC_FILE|NOT_IN_PROXY)
++/** Forbidden in <VirtualHost>/<Limit>/<Directory>/<Location>/<Files>/<If><Proxy>*/
++#define GLOBAL_ONLY (NOT_IN_VIRTUALHOST|NOT_IN_DIR_CONTEXT)
+
+ /** @} */
+
+Index: modules/generators/mod_suexec.c
+===================================================================
+--- modules/generators/mod_suexec.c (revision 1813018)
++++ modules/generators/mod_suexec.c (working copy)
+@@ -59,7 +59,7 @@ static const char *set_suexec_ugid(cmd_parms *cmd,
+ const char *uid, const char *gid)
+ {
+ suexec_config_t *cfg = (suexec_config_t *) mconfig;
+- const char *err = ap_check_cmd_context(cmd, NOT_IN_DIR_LOC_FILE);
++ const char *err = ap_check_cmd_context(cmd, NOT_IN_DIR_CONTEXT);
+
+ if (err != NULL) {
+ return err;
+Index: modules/http/http_core.c
+===================================================================
+--- modules/http/http_core.c (revision 1813018)
++++ modules/http/http_core.c (working copy)
+@@ -52,7 +52,7 @@ static const char *set_keep_alive_timeout(cmd_parm
+ const char *arg)
+ {
+ apr_interval_time_t timeout;
+- const char *err = ap_check_cmd_context(cmd, NOT_IN_DIR_LOC_FILE);
++ const char *err = ap_check_cmd_context(cmd, NOT_IN_DIR_CONTEXT);
+ if (err != NULL) {
+ return err;
+ }
+@@ -78,7 +78,7 @@ static const char *set_keep_alive_timeout(cmd_parm
+ static const char *set_keep_alive(cmd_parms *cmd, void *dummy,
+ int arg)
+ {
+- const char *err = ap_check_cmd_context(cmd, NOT_IN_DIR_LOC_FILE);
++ const char *err = ap_check_cmd_context(cmd, NOT_IN_DIR_CONTEXT);
+ if (err != NULL) {
+ return err;
+ }
+@@ -90,7 +90,7 @@ static const char *set_keep_alive(cmd_parms *cmd,
+ static const char *set_keep_alive_max(cmd_parms *cmd, void *dummy,
+ const char *arg)
+ {
+- const char *err = ap_check_cmd_context(cmd, NOT_IN_DIR_LOC_FILE);
++ const char *err = ap_check_cmd_context(cmd, NOT_IN_DIR_CONTEXT);
+ if (err != NULL) {
+ return err;
+ }
+Index: modules/http2/h2_h2.c
+===================================================================
+--- modules/http2/h2_h2.c (revision 1813018)
++++ modules/http2/h2_h2.c (working copy)
+@@ -59,7 +59,6 @@ const char *H2_MAGIC_TOKEN = "PRI * HTTP/2.0\r\n\r
+ /*******************************************************************************
+ * The optional mod_ssl functions we need.
+ */
+-static APR_OPTIONAL_FN_TYPE(ssl_engine_disable) *opt_ssl_engine_disable;
+ static APR_OPTIONAL_FN_TYPE(ssl_is_https) *opt_ssl_is_https;
+ static APR_OPTIONAL_FN_TYPE(ssl_var_lookup) *opt_ssl_var_lookup;
+
+@@ -445,7 +444,6 @@ apr_status_t h2_h2_init(apr_pool_t *pool, server_r
+ {
+ (void)pool;
+ ap_log_error(APLOG_MARK, APLOG_TRACE1, 0, s, "h2_h2, child_init");
+- opt_ssl_engine_disable = APR_RETRIEVE_OPTIONAL_FN(ssl_engine_disable);
+ opt_ssl_is_https = APR_RETRIEVE_OPTIONAL_FN(ssl_is_https);
+ opt_ssl_var_lookup = APR_RETRIEVE_OPTIONAL_FN(ssl_var_lookup);
+
+Index: modules/http2/mod_proxy_http2.c
+===================================================================
+--- modules/http2/mod_proxy_http2.c (revision 1813018)
++++ modules/http2/mod_proxy_http2.c (working copy)
+@@ -576,9 +576,9 @@ run_connect:
+
+ /* Step Three: Create conn_rec for the socket we have open now. */
+ if (!ctx->p_conn->connection) {
+- if ((status = ap_proxy_connection_create(ctx->proxy_func, ctx->p_conn,
+- ctx->owner,
+- ctx->server)) != OK) {
++ status = ap_proxy_connection_create_ex(ctx->proxy_func,
++ ctx->p_conn, ctx->rbase);
++ if (status != OK) {
+ ap_log_cerror(APLOG_MARK, APLOG_DEBUG, status, ctx->owner, APLOGNO(03353)
+ "setup new connection: is_ssl=%d %s %s %s",
+ ctx->p_conn->is_ssl, ctx->p_conn->ssl_hostname,
+Index: modules/http2
+===================================================================
+--- modules/http2 (revision 1813018)
++++ modules/http2 (working copy)
+
+Property changes on: modules/http2
+___________________________________________________________________
+Modified: svn:mergeinfo
+## -0,0 +0,1 ##
+ Merged /httpd/httpd/trunk/modules/http2:r1740928,1740960,1740967,1740987,1740998,1742697,1756976,1781313,1812193
+Index: modules/mappers/mod_alias.c
+===================================================================
+--- modules/mappers/mod_alias.c (revision 1813018)
++++ modules/mappers/mod_alias.c (working copy)
+@@ -131,7 +131,7 @@ static const char *add_alias_internal(cmd_parms *c
+
+ /* XXX: real can NOT be relative to DocumentRoot here... compat bug. */
+
+- const char *err = ap_check_cmd_context(cmd, NOT_IN_DIR_LOC_FILE);
++ const char *err = ap_check_cmd_context(cmd, NOT_IN_DIR_CONTEXT);
+
+ if (err != NULL) {
+ return err;
+Index: modules/proxy/mod_proxy.c
+===================================================================
+--- modules/proxy/mod_proxy.c (revision 1813018)
++++ modules/proxy/mod_proxy.c (working copy)
+@@ -26,6 +26,9 @@
+ #else
+ APR_DECLARE_OPTIONAL_FN(int, ssl_proxy_enable, (conn_rec *));
+ APR_DECLARE_OPTIONAL_FN(int, ssl_engine_disable, (conn_rec *));
++APR_DECLARE_OPTIONAL_FN(int, ssl_engine_set, (conn_rec *,
++ ap_conf_vector_t *,
++ int proxy, int enable));
+ APR_DECLARE_OPTIONAL_FN(int, ssl_is_https, (conn_rec *));
+ APR_DECLARE_OPTIONAL_FN(char *, ssl_var_lookup,
+ (apr_pool_t *, server_rec *,
+@@ -811,7 +814,7 @@ static int proxy_walk(request_rec *r)
+ {
+ proxy_server_conf *sconf = ap_get_module_config(r->server->module_config,
+ &proxy_module);
+- ap_conf_vector_t *per_dir_defaults = r->server->lookup_defaults;
++ ap_conf_vector_t *per_dir_defaults = r->per_dir_config;
+ ap_conf_vector_t **sec_proxy = (ap_conf_vector_t **) sconf->sec_proxy->elts;
+ ap_conf_vector_t *entry_config;
+ proxy_dir_conf *entry_proxy;
+@@ -2235,6 +2238,9 @@ static const char *add_member(cmd_parms *cmd, void
+ "Sharing worker '%s' instead of creating new worker '%s'",
+ ap_proxy_worker_name(cmd->pool, worker), name);
+ }
++ if (!worker->section_config) {
++ worker->section_config = balancer->section_config;
++ }
+
+ arr = apr_table_elts(params);
+ elts = (const apr_table_entry_t *)arr->elts;
+@@ -2363,7 +2369,7 @@ static const char *proxysection(cmd_parms *cmd, vo
+ proxy_balancer *balancer = NULL;
+ proxy_worker *worker = NULL;
+
+- const char *err = ap_check_cmd_context(cmd, NOT_IN_DIR_LOC_FILE);
++ const char *err = ap_check_cmd_context(cmd, NOT_IN_DIR_CONTEXT);
+ proxy_server_conf *sconf =
+ (proxy_server_conf *) ap_get_module_config(cmd->server->module_config, &proxy_module);
+
+@@ -2386,7 +2392,7 @@ static const char *proxysection(cmd_parms *cmd, vo
+ }
+
+ cmd->path = ap_getword_conf(cmd->pool, &arg);
+- cmd->override = OR_ALL|ACCESS_CONF;
++ cmd->override = OR_ALL|ACCESS_CONF|PROXY_CONF;
+
+ if (!strncasecmp(cmd->path, "proxy:", 6))
+ cmd->path += 6;
+@@ -2441,6 +2447,9 @@ static const char *proxysection(cmd_parms *cmd, vo
+ return apr_pstrcat(cmd->temp_pool, thiscmd->name,
+ " ", err, NULL);
+ }
++ if (!balancer->section_config) {
++ balancer->section_config = new_dir_conf;
++ }
+ }
+ else {
+ worker = ap_proxy_get_worker(cmd->temp_pool, NULL, sconf,
+@@ -2452,6 +2461,9 @@ static const char *proxysection(cmd_parms *cmd, vo
+ return apr_pstrcat(cmd->temp_pool, thiscmd->name,
+ " ", err, NULL);
+ }
++ if (!worker->section_config) {
++ worker->section_config = new_dir_conf;
++ }
+ }
+ if (worker == NULL && balancer == NULL) {
+ return apr_pstrcat(cmd->pool, thiscmd->name,
+@@ -2559,6 +2571,7 @@ static const command_rec proxy_cmds[] =
+
+ static APR_OPTIONAL_FN_TYPE(ssl_proxy_enable) *proxy_ssl_enable = NULL;
+ static APR_OPTIONAL_FN_TYPE(ssl_engine_disable) *proxy_ssl_disable = NULL;
++static APR_OPTIONAL_FN_TYPE(ssl_engine_set) *proxy_ssl_engine = NULL;
+ static APR_OPTIONAL_FN_TYPE(ssl_is_https) *proxy_is_https = NULL;
+ static APR_OPTIONAL_FN_TYPE(ssl_var_lookup) *proxy_ssl_val = NULL;
+
+@@ -2584,6 +2597,30 @@ PROXY_DECLARE(int) ap_proxy_ssl_disable(conn_rec *
+ return 0;
+ }
+
++PROXY_DECLARE(int) ap_proxy_ssl_engine(conn_rec *c,
++ ap_conf_vector_t *per_dir_config,
++ int enable)
++{
++ /*
++ * if c == NULL just check if the optional function was imported
++ * else run the optional function so ssl filters are inserted
++ */
++ if (proxy_ssl_engine) {
++ return c ? proxy_ssl_engine(c, per_dir_config, 1, enable) : 1;
++ }
++
++ if (!per_dir_config) {
++ if (enable) {
++ return ap_proxy_ssl_enable(c);
++ }
++ else {
++ return ap_proxy_ssl_disable(c);
++ }
++ }
++
++ return 0;
++}
++
+ PROXY_DECLARE(int) ap_proxy_conn_is_https(conn_rec *c)
+ {
+ if (proxy_is_https) {
+@@ -2606,10 +2643,11 @@ PROXY_DECLARE(const char *) ap_proxy_ssl_val(apr_p
+ }
+
+ static int proxy_post_config(apr_pool_t *pconf, apr_pool_t *plog,
+- apr_pool_t *ptemp, server_rec *s)
++ apr_pool_t *ptemp, server_rec *main_s)
+ {
++ server_rec *s = main_s;
+ apr_status_t rv = ap_global_mutex_create(&proxy_mutex, NULL,
+- proxy_id, NULL, s, pconf, 0);
++ proxy_id, NULL, s, pconf, 0);
+ if (rv != APR_SUCCESS) {
+ ap_log_perror(APLOG_MARK, APLOG_CRIT, rv, plog, APLOGNO(02478)
+ "failed to create %s mutex", proxy_id);
+@@ -2618,11 +2656,28 @@ static int proxy_post_config(apr_pool_t *pconf, ap
+
+ proxy_ssl_enable = APR_RETRIEVE_OPTIONAL_FN(ssl_proxy_enable);
+ proxy_ssl_disable = APR_RETRIEVE_OPTIONAL_FN(ssl_engine_disable);
++ proxy_ssl_engine = APR_RETRIEVE_OPTIONAL_FN(ssl_engine_set);
+ proxy_is_https = APR_RETRIEVE_OPTIONAL_FN(ssl_is_https);
+ proxy_ssl_val = APR_RETRIEVE_OPTIONAL_FN(ssl_var_lookup);
+ ap_proxy_strmatch_path = apr_strmatch_precompile(pconf, "path=", 0);
+ ap_proxy_strmatch_domain = apr_strmatch_precompile(pconf, "domain=", 0);
+
++ for (; s; s = s->next) {
++ int rc, i;
++ proxy_server_conf *sconf =
++ ap_get_module_config(s->module_config, &proxy_module);
++ ap_conf_vector_t **sections =
++ (ap_conf_vector_t **)sconf->sec_proxy->elts;
++
++ for (i = 0; i < sconf->sec_proxy->nelts; ++i) {
++ rc = proxy_run_section_post_config(pconf, ptemp, plog,
++ s, sections[i]);
++ if (rc != OK && rc != DECLINED) {
++ return rc;
++ }
++ }
++ }
++
+ return OK;
+ }
+
+@@ -2907,6 +2962,12 @@ APR_IMPLEMENT_EXTERNAL_HOOK_RUN_FIRST(proxy, PROXY
+ request_rec *r,
+ proxy_server_conf *conf),(worker,
+ balancer,r,conf),DECLINED)
++APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL(proxy, PROXY, int, section_post_config,
++ (apr_pool_t *p, apr_pool_t *plog,
++ apr_pool_t *ptemp, server_rec *s,
++ ap_conf_vector_t *section_config),
++ (p, ptemp, plog, s, section_config),
++ OK, DECLINED)
+ APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL(proxy, PROXY, int, fixups,
+ (request_rec *r), (r),
+ OK, DECLINED)
+Index: modules/proxy/mod_proxy.h
+===================================================================
+--- modules/proxy/mod_proxy.h (revision 1813018)
++++ modules/proxy/mod_proxy.h (working copy)
+@@ -457,6 +457,7 @@ struct proxy_worker {
+ proxy_balancer *balancer; /* which balancer am I in? */
+ apr_thread_mutex_t *tmutex; /* Thread lock for updating address cache */
+ void *context; /* general purpose storage */
++ ap_conf_vector_t *section_config; /* <Proxy>-section wherein defined */
+ };
+
+ /* default to health check every 30 seconds */
+@@ -513,6 +514,7 @@ struct proxy_balancer {
+ void *context; /* general purpose storage */
+ proxy_balancer_shared *s; /* Shared data */
+ int failontimeout; /* Whether to mark a member in Err if IO timeout occurs */
++ ap_conf_vector_t *section_config; /* <Proxy>-section wherein defined */
+ };
+
+ struct proxy_balancer_method {
+@@ -574,15 +576,22 @@ APR_DECLARE_OPTIONAL_FN(const char *, set_worker_h
+ (apr_pool_t *, server_rec *, proxy_worker *,
+ const char *, const char *, void *));
+
+-APR_DECLARE_EXTERNAL_HOOK(proxy, PROXY, int, scheme_handler, (request_rec *r,
+- proxy_worker *worker, proxy_server_conf *conf, char *url,
+- const char *proxyhost, apr_port_t proxyport))
+-APR_DECLARE_EXTERNAL_HOOK(proxy, PROXY, int, canon_handler, (request_rec *r,
+- char *url))
++APR_DECLARE_EXTERNAL_HOOK(proxy, PROXY, int, section_post_config,
++ (apr_pool_t *p, apr_pool_t *plog,
++ apr_pool_t *ptemp, server_rec *s,
++ ap_conf_vector_t *section_config))
+
++APR_DECLARE_EXTERNAL_HOOK(proxy, PROXY, int, scheme_handler,
++ (request_rec *r, proxy_worker *worker,
++ proxy_server_conf *conf, char *url,
++ const char *proxyhost, apr_port_t proxyport))
++APR_DECLARE_EXTERNAL_HOOK(proxy, PROXY, int, canon_handler,
++ (request_rec *r, char *url))
++
+ APR_DECLARE_EXTERNAL_HOOK(proxy, PROXY, int, create_req, (request_rec *r, request_rec *pr))
+ APR_DECLARE_EXTERNAL_HOOK(proxy, PROXY, int, fixups, (request_rec *r))
+
++
+ /**
+ * pre request hook.
+ * It will return the most suitable worker at the moment
+@@ -643,6 +652,9 @@ PROXY_DECLARE(apr_status_t) ap_proxy_ssl_connectio
+ request_rec *r);
+ PROXY_DECLARE(int) ap_proxy_ssl_enable(conn_rec *c);
+ PROXY_DECLARE(int) ap_proxy_ssl_disable(conn_rec *c);
++PROXY_DECLARE(int) ap_proxy_ssl_engine(conn_rec *c,
++ ap_conf_vector_t *per_dir_config,
++ int enable);
+ PROXY_DECLARE(int) ap_proxy_conn_is_https(conn_rec *c);
+ PROXY_DECLARE(const char *) ap_proxy_ssl_val(apr_pool_t *p, server_rec *s, conn_rec *c, request_rec *r, const char *var);
+
+@@ -974,7 +986,7 @@ PROXY_DECLARE(apr_status_t) ap_proxy_connect_uds(a
+ * Make a connection record for backend connection
+ * @param proxy_function calling proxy scheme (http, ajp, ...)
+ * @param conn acquired connection
+- * @param c client connection record
++ * @param c client connection record (unused, deprecated)
+ * @param s current server record
+ * @return OK or HTTP_XXX error
+ * @note The function will return immediately if conn->connection
+@@ -985,6 +997,18 @@ PROXY_DECLARE(int) ap_proxy_connection_create(cons
+ conn_rec *c, server_rec *s);
+
+ /**
++ * Make a connection record for backend connection, using request dir config
++ * @param proxy_function calling proxy scheme (http, ajp, ...)
++ * @param conn acquired connection
++ * @param r current request record
++ * @return OK or HTTP_XXX error
++ * @note The function will return immediately if conn->connection
++ * is already set,
++ */
++PROXY_DECLARE(int) ap_proxy_connection_create_ex(const char *proxy_function,
++ proxy_conn_rec *conn,
++ request_rec *r);
++/**
+ * Determine if proxy connection can potentially be reused at the
+ * end of this request.
+ * @param conn proxy connection
+Index: modules/proxy/mod_proxy_connect.c
+===================================================================
+--- modules/proxy/mod_proxy_connect.c (revision 1813018)
++++ modules/proxy/mod_proxy_connect.c (working copy)
+@@ -299,7 +299,7 @@ static int proxy_connect_handler(request_rec *r, p
+ apr_socket_close(sock);
+ return HTTP_INTERNAL_SERVER_ERROR;
+ }
+- ap_proxy_ssl_disable(backconn);
++ ap_proxy_ssl_engine(backconn, r->per_dir_config, 0);
+ rc = ap_run_pre_connection(backconn, sock);
+ if (rc != OK && rc != DONE) {
+ backconn->aborted = 1;
+Index: modules/proxy/mod_proxy_ftp.c
+===================================================================
+--- modules/proxy/mod_proxy_ftp.c (revision 1813018)
++++ modules/proxy/mod_proxy_ftp.c (working copy)
+@@ -1181,7 +1181,7 @@ static int proxy_ftp_handler(request_rec *r, proxy
+ }
+
+ if (!backend->connection) {
+- status = ap_proxy_connection_create("FTP", backend, c, r->server);
++ status = ap_proxy_connection_create_ex("FTP", backend, r);
+ if (status != OK) {
+ proxy_ftp_cleanup(r, backend);
+ return status;
+@@ -1967,7 +1967,7 @@ static int proxy_ftp_handler(request_rec *r, proxy
+ * We do not do SSL over the data connection, even if the virtual host we
+ * are in might have SSL enabled
+ */
+- ap_proxy_ssl_disable(data);
++ ap_proxy_ssl_engine(data, r->per_dir_config, 0);
+ /* set up the connection filters */
+ rc = ap_run_pre_connection(data, data_sock);
+ if (rc != OK && rc != DONE) {
+Index: modules/proxy/mod_proxy_http.c
+===================================================================
+--- modules/proxy/mod_proxy_http.c (revision 1813018)
++++ modules/proxy/mod_proxy_http.c (working copy)
+@@ -1948,8 +1948,8 @@ static int proxy_http_handler(request_rec *r, prox
+
+ /* Step Three: Create conn_rec */
+ if (!backend->connection) {
+- if ((status = ap_proxy_connection_create(proxy_function, backend,
+- c, r->server)) != OK)
++ if ((status = ap_proxy_connection_create_ex(proxy_function,
++ backend, r)) != OK)
+ break;
+ /*
+ * On SSL connections set a note on the connection what CN is
+Index: modules/proxy/mod_proxy_wstunnel.c
+===================================================================
+--- modules/proxy/mod_proxy_wstunnel.c (revision 1813018)
++++ modules/proxy/mod_proxy_wstunnel.c (working copy)
+@@ -285,7 +285,6 @@ static int proxy_wstunnel_handler(request_rec *r,
+ proxy_conn_rec *backend = NULL;
+ char *scheme;
+ int retry;
+- conn_rec *c = r->connection;
+ apr_pool_t *p = r->pool;
+ apr_uri_t *uri;
+ int is_ssl = 0;
+@@ -352,11 +351,13 @@ static int proxy_wstunnel_handler(request_rec *r,
+ status = HTTP_SERVICE_UNAVAILABLE;
+ break;
+ }
++
+ /* Step Three: Create conn_rec */
+ if (!backend->connection) {
+- if ((status = ap_proxy_connection_create(scheme, backend,
+- c, r->server)) != OK)
++ status = ap_proxy_connection_create_ex(scheme, backend, r);
++ if (status != OK) {
+ break;
++ }
+ }
+
+ backend->close = 1; /* must be after ap_proxy_determine_connection */
+Index: modules/proxy/proxy_util.c
+===================================================================
+--- modules/proxy/proxy_util.c (revision 1813018)
++++ modules/proxy/proxy_util.c (working copy)
+@@ -2997,11 +2997,12 @@ static apr_status_t connection_shutdown(void *thec
+ }
+
+
+-PROXY_DECLARE(int) ap_proxy_connection_create(const char *proxy_function,
+- proxy_conn_rec *conn,
+- conn_rec *c,
+- server_rec *s)
++static int proxy_connection_create(const char *proxy_function,
++ proxy_conn_rec *conn,
++ request_rec *r, server_rec *s)
+ {
++ ap_conf_vector_t *per_dir_config = (r) ? r->per_dir_config
++ : conn->worker->section_config;
+ apr_sockaddr_t *backend_addr = conn->addr;
+ int rc;
+ apr_interval_time_t current_timeout;
+@@ -3036,7 +3037,7 @@ static apr_status_t connection_shutdown(void *thec
+
+ /* For ssl connection to backend */
+ if (conn->is_ssl) {
+- if (!ap_proxy_ssl_enable(conn->connection)) {
++ if (!ap_proxy_ssl_engine(conn->connection, per_dir_config, 1)) {
+ ap_log_error(APLOG_MARK, APLOG_ERR, 0,
+ s, APLOGNO(00961) "%s: failed to enable ssl support "
+ "for %pI (%s)", proxy_function,
+@@ -3046,7 +3047,7 @@ static apr_status_t connection_shutdown(void *thec
+ }
+ else {
+ /* TODO: See if this will break FTP */
+- ap_proxy_ssl_disable(conn->connection);
++ ap_proxy_ssl_engine(conn->connection, per_dir_config, 0);
+ }
+
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(00962)
+@@ -3078,6 +3079,21 @@ static apr_status_t connection_shutdown(void *thec
+ return OK;
+ }
+
++PROXY_DECLARE(int) ap_proxy_connection_create_ex(const char *proxy_function,
++ proxy_conn_rec *conn,
++ request_rec *r)
++{
++ return proxy_connection_create(proxy_function, conn, r, r->server);
++}
++
++PROXY_DECLARE(int) ap_proxy_connection_create(const char *proxy_function,
++ proxy_conn_rec *conn,
++ conn_rec *c, server_rec *s)
++{
++ (void) c; /* unused */
++ return proxy_connection_create(proxy_function, conn, NULL, s);
++}
++
+ int ap_proxy_lb_workers(void)
+ {
+ /*
+Index: modules/ssl/mod_ssl.c
+===================================================================
+--- modules/ssl/mod_ssl.c (revision 1813018)
++++ modules/ssl/mod_ssl.c (working copy)
+@@ -32,6 +32,8 @@
+ #include "ap_provider.h"
+ #include "http_config.h"
+
++#include "mod_proxy.h" /* for proxy_hook_section_post_config() */
++
+ #include <assert.h>
+
+ static int modssl_running_statically = 0;
+@@ -52,6 +54,10 @@ APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL(ssl, SSL, int,
+ AP_INIT_##args("SSL"#name, ssl_cmd_SSL##name, \
+ NULL, RSRC_CONF, desc),
+
++#define SSL_CMD_PXY(name, args, desc) \
++ AP_INIT_##args("SSL"#name, ssl_cmd_SSL##name, \
++ NULL, RSRC_CONF|PROXY_CONF, desc),
++
+ #define SSL_CMD_DIR(name, type, args, desc) \
+ AP_INIT_##args("SSL"#name, ssl_cmd_SSL##name, \
+ NULL, OR_##type, desc),
+@@ -173,50 +179,50 @@ static const command_rec ssl_config_cmds[] = {
+ /*
+ * Proxy configuration for remote SSL connections
+ */
+- SSL_CMD_SRV(ProxyEngine, FLAG,
++ SSL_CMD_PXY(ProxyEngine, FLAG,
+ "SSL switch for the proxy protocol engine "
+ "('on', 'off')")
+- SSL_CMD_SRV(ProxyProtocol, RAW_ARGS,
++ SSL_CMD_PXY(ProxyProtocol, RAW_ARGS,
+ "SSL Proxy: enable or disable SSL protocol flavors "
+ "('[+-][" SSL_PROTOCOLS "] ...' - see manual)")
+- SSL_CMD_SRV(ProxyCipherSuite, TAKE1,
++ SSL_CMD_PXY(ProxyCipherSuite, TAKE1,
+ "SSL Proxy: colon-delimited list of permitted SSL ciphers "
+ "('XXX:...:XXX' - see manual)")
+- SSL_CMD_SRV(ProxyVerify, TAKE1,
++ SSL_CMD_PXY(ProxyVerify, TAKE1,
+ "SSL Proxy: whether to verify the remote certificate "
+ "('on' or 'off')")
+- SSL_CMD_SRV(ProxyVerifyDepth, TAKE1,
++ SSL_CMD_PXY(ProxyVerifyDepth, TAKE1,
+ "SSL Proxy: maximum certificate verification depth "
+ "('N' - number of intermediate certificates)")
+- SSL_CMD_SRV(ProxyCACertificateFile, TAKE1,
++ SSL_CMD_PXY(ProxyCACertificateFile, TAKE1,
+ "SSL Proxy: file containing server certificates "
+ "('/path/to/file' - PEM encoded certificates)")
+- SSL_CMD_SRV(ProxyCACertificatePath, TAKE1,
++ SSL_CMD_PXY(ProxyCACertificatePath, TAKE1,
+ "SSL Proxy: directory containing server certificates "
+ "('/path/to/dir' - contains PEM encoded certificates)")
+- SSL_CMD_SRV(ProxyCARevocationPath, TAKE1,
++ SSL_CMD_PXY(ProxyCARevocationPath, TAKE1,
+ "SSL Proxy: CA Certificate Revocation List (CRL) path "
+ "('/path/to/dir' - contains PEM encoded files)")
+- SSL_CMD_SRV(ProxyCARevocationFile, TAKE1,
++ SSL_CMD_PXY(ProxyCARevocationFile, TAKE1,
+ "SSL Proxy: CA Certificate Revocation List (CRL) file "
+ "('/path/to/file' - PEM encoded)")
+- SSL_CMD_SRV(ProxyCARevocationCheck, RAW_ARGS,
++ SSL_CMD_PXY(ProxyCARevocationCheck, RAW_ARGS,
+ "SSL Proxy: CA Certificate Revocation List (CRL) checking mode")
+- SSL_CMD_SRV(ProxyMachineCertificateFile, TAKE1,
++ SSL_CMD_PXY(ProxyMachineCertificateFile, TAKE1,
+ "SSL Proxy: file containing client certificates "
+ "('/path/to/file' - PEM encoded certificates)")
+- SSL_CMD_SRV(ProxyMachineCertificatePath, TAKE1,
++ SSL_CMD_PXY(ProxyMachineCertificatePath, TAKE1,
+ "SSL Proxy: directory containing client certificates "
+ "('/path/to/dir' - contains PEM encoded certificates)")
+- SSL_CMD_SRV(ProxyMachineCertificateChainFile, TAKE1,
++ SSL_CMD_PXY(ProxyMachineCertificateChainFile, TAKE1,
+ "SSL Proxy: file containing issuing certificates "
+ "of the client certificate "
+ "(`/path/to/file' - PEM encoded certificates)")
+- SSL_CMD_SRV(ProxyCheckPeerExpire, FLAG,
++ SSL_CMD_PXY(ProxyCheckPeerExpire, FLAG,
+ "SSL Proxy: check the peer certificate's expiration date")
+- SSL_CMD_SRV(ProxyCheckPeerCN, FLAG,
++ SSL_CMD_PXY(ProxyCheckPeerCN, FLAG,
+ "SSL Proxy: check the peer certificate's CN")
+- SSL_CMD_SRV(ProxyCheckPeerName, FLAG,
++ SSL_CMD_PXY(ProxyCheckPeerName, FLAG,
+ "SSL Proxy: check the peer certificate's name "
+ "(must be present in subjectAltName extension or CN")
+
+@@ -438,7 +444,8 @@ static int ssl_hook_pre_config(apr_pool_t *pconf,
+ return OK;
+ }
+
+-static SSLConnRec *ssl_init_connection_ctx(conn_rec *c)
++static SSLConnRec *ssl_init_connection_ctx(conn_rec *c,
++ ap_conf_vector_t *per_dir_config)
+ {
+ SSLConnRec *sslconn = myConnConfig(c);
+ SSLSrvConfigRec *sc;
+@@ -449,6 +456,14 @@ static int ssl_hook_pre_config(apr_pool_t *pconf,
+
+ sslconn = apr_pcalloc(c->pool, sizeof(*sslconn));
+
++ if (per_dir_config) {
++ sslconn->dc = ap_get_module_config(per_dir_config, &ssl_module);
++ }
++ else {
++ sslconn->dc = ap_get_module_config(c->base_server->lookup_defaults,
++ &ssl_module);
++ }
++
+ sslconn->server = c->base_server;
+ sslconn->verify_depth = UNSET;
+ sc = mySrvConfig(c->base_server);
+@@ -459,48 +474,75 @@ static int ssl_hook_pre_config(apr_pool_t *pconf,
+ return sslconn;
+ }
+
+-int ssl_proxy_enable(conn_rec *c)
++static int ssl_engine_status(conn_rec *c, SSLConnRec *sslconn)
+ {
+- SSLSrvConfigRec *sc;
+-
+- SSLConnRec *sslconn = ssl_init_connection_ctx(c);
+- sc = mySrvConfig(sslconn->server);
+-
+- if (!sc->proxy_enabled) {
+- ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, APLOGNO(01961)
+- "SSL Proxy requested for %s but not enabled "
+- "[Hint: SSLProxyEngine]", sc->vhost_id);
+-
+- return 0;
++ if (c->master) {
++ return DECLINED;
+ }
+-
+- sslconn->is_proxy = 1;
+- sslconn->disabled = 0;
+-
+- return 1;
++ if (sslconn) {
++ if (sslconn->disabled) {
++ return SUSPENDED;
++ }
++ if (sslconn->is_proxy) {
++ if (!sslconn->dc->proxy_enabled) {
++ return DECLINED;
++ }
++ }
++ else {
++ if (mySrvConfig(sslconn->server)->enabled != SSL_ENABLED_TRUE) {
++ return DECLINED;
++ }
++ }
++ }
++ else {
++ if (mySrvConfig(c->base_server)->enabled != SSL_ENABLED_TRUE) {
++ return DECLINED;
++ }
++ }
++ return OK;
+ }
+
+-int ssl_engine_disable(conn_rec *c)
++static int ssl_engine_set(conn_rec *c,
++ ap_conf_vector_t *per_dir_config,
++ int proxy, int enable)
+ {
+- SSLSrvConfigRec *sc;
++ SSLConnRec *sslconn;
++ int status;
++
++ if (proxy) {
++ sslconn = ssl_init_connection_ctx(c, per_dir_config);
++ sslconn->is_proxy = 1;
++ }
++ else {
++ sslconn = myConnConfig(c);
++ }
+
+- SSLConnRec *sslconn = myConnConfig(c);
++ status = ssl_engine_status(c, sslconn);
+
+- if (sslconn) {
+- sc = mySrvConfig(sslconn->server);
++ if (proxy && status == DECLINED) {
++ if (enable) {
++ SSLSrvConfigRec *sc = mySrvConfig(sslconn->server);
++ ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, APLOGNO(01961)
++ "SSL Proxy requested for %s but not enabled "
++ "[Hint: SSLProxyEngine]", sc->vhost_id);
++ }
++ sslconn->disabled = 1;
+ }
+- else {
+- sc = mySrvConfig(c->base_server);
++ else if (sslconn) {
++ sslconn->disabled = !enable;
+ }
+- if (sc->enabled == SSL_ENABLED_FALSE) {
+- return 0;
+- }
+
+- sslconn = ssl_init_connection_ctx(c);
++ return status != DECLINED;
++}
+
+- sslconn->disabled = 1;
++static int ssl_proxy_enable(conn_rec *c)
++{
++ return ssl_engine_set(c, NULL, 1, 1);
++}
+
+- return 1;
++static int ssl_engine_disable(conn_rec *c)
++{
++ return ssl_engine_set(c, NULL, 0, 0);
+ }
+
+ int ssl_init_ssl_connection(conn_rec *c, request_rec *r)
+@@ -507,15 +549,16 @@ int ssl_init_ssl_connection(conn_rec *c, request_r
+ {
+ SSLSrvConfigRec *sc;
+ SSL *ssl;
+- SSLConnRec *sslconn = myConnConfig(c);
++ SSLConnRec *sslconn;
+ char *vhost_md5;
+ int rc;
+ modssl_ctx_t *mctx;
+ server_rec *server;
+
+- if (!sslconn) {
+- sslconn = ssl_init_connection_ctx(c);
+- }
++ /*
++ * Create or retrieve SSL context
++ */
++ sslconn = ssl_init_connection_ctx(c, r ? r->per_dir_config : NULL);
+ server = sslconn->server;
+ sc = mySrvConfig(server);
+
+@@ -522,9 +565,10 @@ int ssl_init_ssl_connection(conn_rec *c, request_r
+ /*
+ * Seed the Pseudo Random Number Generator (PRNG)
+ */
+- ssl_rand_seed(server, c->pool, SSL_RSCTX_CONNECT, "");
++ ssl_rand_seed(server, c->pool, SSL_RSCTX_CONNECT,
++ sslconn->is_proxy ? "Proxy: " : "Server: ");
+
+- mctx = sslconn->is_proxy ? sc->proxy : sc->server;
++ mctx = myCtxConfig(sslconn, sc);
+
+ /*
+ * Create a new SSL connection with the configured server SSL context and
+@@ -596,34 +640,21 @@ static apr_port_t ssl_hook_default_port(const requ
+
+ static int ssl_hook_pre_connection(conn_rec *c, void *csd)
+ {
+-
+ SSLSrvConfigRec *sc;
+ SSLConnRec *sslconn = myConnConfig(c);
+
+- if (sslconn) {
+- sc = mySrvConfig(sslconn->server);
+- }
+- else {
+- sc = mySrvConfig(c->base_server);
+- }
+ /*
+ * Immediately stop processing if SSL is disabled for this connection
+ */
+- if (c->master || !(sc && (sc->enabled == SSL_ENABLED_TRUE ||
+- (sslconn && sslconn->is_proxy))))
+- {
++ if (ssl_engine_status(c, sslconn) != OK) {
+ return DECLINED;
+ }
+
+- /*
+- * Create SSL context
+- */
+- if (!sslconn) {
+- sslconn = ssl_init_connection_ctx(c);
++ if (sslconn) {
++ sc = mySrvConfig(sslconn->server);
+ }
+-
+- if (sslconn->disabled) {
+- return DECLINED;
++ else {
++ sc = mySrvConfig(c->base_server);
+ }
+
+ /*
+@@ -667,7 +698,13 @@ static void ssl_register_hooks(apr_pool_t *p)
+ /* ssl_hook_ReadReq needs to use the BrowserMatch settings so must
+ * run after mod_setenvif's post_read_request hook. */
+ static const char *pre_prr[] = { "mod_setenvif.c", NULL };
++ /* The ssl_init_Module post_config hook should run before mod_proxy's
++ * for the ssl proxy main configs to be merged with vhosts' before being
++ * themselves merged with mod_proxy's in proxy_hook_section_post_config.
++ */
++ static const char *b_pc[] = { "mod_proxy.c", NULL};
+
++
+ ssl_io_filter_register(p);
+
+ ap_hook_pre_connection(ssl_hook_pre_connection,NULL,NULL, APR_HOOK_MIDDLE);
+@@ -674,7 +711,7 @@ static void ssl_register_hooks(apr_pool_t *p)
+ ap_hook_process_connection(ssl_hook_process_connection,
+ NULL, NULL, APR_HOOK_MIDDLE);
+ ap_hook_test_config (ssl_hook_ConfigTest, NULL,NULL, APR_HOOK_MIDDLE);
+- ap_hook_post_config (ssl_init_Module, NULL,NULL, APR_HOOK_MIDDLE);
++ ap_hook_post_config (ssl_init_Module, NULL,b_pc, APR_HOOK_MIDDLE);
+ ap_hook_http_scheme (ssl_hook_http_scheme, NULL,NULL, APR_HOOK_MIDDLE);
+ ap_hook_default_port (ssl_hook_default_port, NULL,NULL, APR_HOOK_MIDDLE);
+ ap_hook_pre_config (ssl_hook_pre_config, NULL,NULL, APR_HOOK_MIDDLE);
+@@ -688,10 +725,15 @@ static void ssl_register_hooks(apr_pool_t *p)
+ AP_AUTH_INTERNAL_PER_CONF);
+ ap_hook_post_read_request(ssl_hook_ReadReq, pre_prr,NULL, APR_HOOK_MIDDLE);
+
++ APR_OPTIONAL_HOOK(proxy, section_post_config,
++ ssl_proxy_section_post_config, NULL, NULL,
++ APR_HOOK_MIDDLE);
++
+ ssl_var_register(p);
+
+ APR_REGISTER_OPTIONAL_FN(ssl_proxy_enable);
+ APR_REGISTER_OPTIONAL_FN(ssl_engine_disable);
++ APR_REGISTER_OPTIONAL_FN(ssl_engine_set);
+
+ ap_register_auth_provider(p, AUTHZ_PROVIDER_GROUP, "ssl",
+ AUTHZ_PROVIDER_VERSION,
+@@ -702,7 +744,6 @@ static void ssl_register_hooks(apr_pool_t *p)
+ AUTHZ_PROVIDER_VERSION,
+ &ssl_authz_provider_verify_client,
+ AP_AUTH_INTERNAL_PER_CONF);
+-
+ }
+
+ module AP_MODULE_DECLARE_DATA ssl_module = {
+Index: modules/ssl/mod_ssl.h
+===================================================================
+--- modules/ssl/mod_ssl.h (revision 1813018)
++++ modules/ssl/mod_ssl.h (working copy)
+@@ -27,6 +27,7 @@
+ #define __MOD_SSL_H__
+
+ #include "httpd.h"
++#include "http_config.h"
+ #include "apr_optional.h"
+
+ /* Create a set of SSL_DECLARE(type), SSL_DECLARE_NONSTD(type) and
+@@ -76,13 +77,15 @@ APR_DECLARE_OPTIONAL_FN(apr_array_header_t *, ssl_
+ * is using SSL/TLS. */
+ APR_DECLARE_OPTIONAL_FN(int, ssl_is_https, (conn_rec *));
+
+-/** The ssl_proxy_enable() and ssl_engine_disable() optional functions
+- * are used by mod_proxy to enable use of SSL for outgoing
++/** The ssl_proxy_enable() and ssl_engine_{set,disable}() optional
++ * functions are used by mod_proxy to enable use of SSL for outgoing
+ * connections. */
+
+ APR_DECLARE_OPTIONAL_FN(int, ssl_proxy_enable, (conn_rec *));
+-
+ APR_DECLARE_OPTIONAL_FN(int, ssl_engine_disable, (conn_rec *));
++APR_DECLARE_OPTIONAL_FN(int, ssl_engine_set, (conn_rec *,
++ ap_conf_vector_t *,
++ int proxy, int enable));
+
+ #endif /* __MOD_SSL_H__ */
+ /** @} */
+Index: modules/ssl/ssl_engine_config.c
+===================================================================
+--- modules/ssl/ssl_engine_config.c (revision 1813018)
++++ modules/ssl/ssl_engine_config.c (working copy)
+@@ -180,24 +180,10 @@ static void modssl_ctx_init(modssl_ctx_t *mctx, ap
+ SSL_CONF_CTX_set_flags(mctx->ssl_ctx_config, SSL_CONF_FLAG_CERTIFICATE);
+ mctx->ssl_ctx_param = apr_array_make(p, 5, sizeof(ssl_ctx_param_t));
+ #endif
+-}
+
+-static void modssl_ctx_init_proxy(SSLSrvConfigRec *sc,
+- apr_pool_t *p)
+-{
+- modssl_ctx_t *mctx;
+-
+- mctx = sc->proxy = apr_palloc(p, sizeof(*sc->proxy));
+-
+- modssl_ctx_init(mctx, p);
+-
+- mctx->pkp = apr_palloc(p, sizeof(*mctx->pkp));
+-
+- mctx->pkp->cert_file = NULL;
+- mctx->pkp->cert_path = NULL;
+- mctx->pkp->ca_cert_file = NULL;
+- mctx->pkp->certs = NULL;
+- mctx->pkp->ca_certs = NULL;
++ mctx->ssl_check_peer_cn = UNSET;
++ mctx->ssl_check_peer_name = UNSET;
++ mctx->ssl_check_peer_expire = UNSET;
+ }
+
+ static void modssl_ctx_init_server(SSLSrvConfigRec *sc,
+@@ -225,15 +211,11 @@ static SSLSrvConfigRec *ssl_config_server_new(apr_
+
+ sc->mc = NULL;
+ sc->enabled = SSL_ENABLED_UNSET;
+- sc->proxy_enabled = UNSET;
+ sc->vhost_id = NULL; /* set during module init */
+ sc->vhost_id_len = 0; /* set during module init */
+ sc->session_cache_timeout = UNSET;
+ sc->cipher_server_pref = UNSET;
+ sc->insecure_reneg = UNSET;
+- sc->proxy_ssl_check_peer_expire = SSL_ENABLED_UNSET;
+- sc->proxy_ssl_check_peer_cn = SSL_ENABLED_UNSET;
+- sc->proxy_ssl_check_peer_name = SSL_ENABLED_UNSET;
+ #ifdef HAVE_TLSEXT
+ sc->strict_sni_vhost_check = SSL_ENABLED_UNSET;
+ #endif
+@@ -245,8 +227,6 @@ static SSLSrvConfigRec *ssl_config_server_new(apr_
+ #endif
+ sc->session_tickets = UNSET;
+
+- modssl_ctx_init_proxy(sc, p);
+-
+ modssl_ctx_init_server(sc, p);
+
+ return sc;
+@@ -270,6 +250,10 @@ void *ssl_config_server_create(apr_pool_t *p, serv
+ #define cfgMergeBool(el) cfgMerge(el, UNSET)
+ #define cfgMergeInt(el) cfgMerge(el, UNSET)
+
++/*
++ * Merge per-server SSL configurations
++ */
++
+ static void modssl_ctx_cfg_merge(apr_pool_t *p,
+ modssl_ctx_t *base,
+ modssl_ctx_t *add,
+@@ -331,18 +315,10 @@ static void modssl_ctx_cfg_merge(apr_pool_t *p,
+ #ifdef HAVE_SSL_CONF_CMD
+ cfgMergeArray(ssl_ctx_param);
+ #endif
+-}
+
+-static void modssl_ctx_cfg_merge_proxy(apr_pool_t *p,
+- modssl_ctx_t *base,
+- modssl_ctx_t *add,
+- modssl_ctx_t *mrg)
+-{
+- modssl_ctx_cfg_merge(p, base, add, mrg);
+-
+- cfgMergeString(pkp->cert_file);
+- cfgMergeString(pkp->cert_path);
+- cfgMergeString(pkp->ca_cert_file);
++ cfgMergeBool(ssl_check_peer_cn);
++ cfgMergeBool(ssl_check_peer_name);
++ cfgMergeBool(ssl_check_peer_expire);
+ }
+
+ static void modssl_ctx_cfg_merge_certkeys_array(apr_pool_t *p,
+@@ -401,9 +377,6 @@ static void modssl_ctx_cfg_merge_server(apr_pool_t
+ #endif
+ }
+
+-/*
+- * Merge per-server SSL configurations
+- */
+ void *ssl_config_server_merge(apr_pool_t *p, void *basev, void *addv)
+ {
+ SSLSrvConfigRec *base = (SSLSrvConfigRec *)basev;
+@@ -412,13 +385,9 @@ void *ssl_config_server_merge(apr_pool_t *p, void
+
+ cfgMerge(mc, NULL);
+ cfgMerge(enabled, SSL_ENABLED_UNSET);
+- cfgMergeBool(proxy_enabled);
+ cfgMergeInt(session_cache_timeout);
+ cfgMergeBool(cipher_server_pref);
+ cfgMergeBool(insecure_reneg);
+- cfgMerge(proxy_ssl_check_peer_expire, SSL_ENABLED_UNSET);
+- cfgMerge(proxy_ssl_check_peer_cn, SSL_ENABLED_UNSET);
+- cfgMerge(proxy_ssl_check_peer_name, SSL_ENABLED_UNSET);
+ #ifdef HAVE_TLSEXT
+ cfgMerge(strict_sni_vhost_check, SSL_ENABLED_UNSET);
+ #endif
+@@ -430,8 +399,6 @@ void *ssl_config_server_merge(apr_pool_t *p, void
+ #endif
+ cfgMergeBool(session_tickets);
+
+- modssl_ctx_cfg_merge_proxy(p, base->proxy, add->proxy, mrg->proxy);
+-
+ modssl_ctx_cfg_merge_server(p, base->server, add->server, mrg->server);
+
+ return mrg;
+@@ -440,6 +407,25 @@ void *ssl_config_server_merge(apr_pool_t *p, void
+ /*
+ * Create per-directory SSL configuration
+ */
++
++static void modssl_ctx_init_proxy(SSLDirConfigRec *dc,
++ apr_pool_t *p)
++{
++ modssl_ctx_t *mctx;
++
++ mctx = dc->proxy = apr_palloc(p, sizeof(*dc->proxy));
++
++ modssl_ctx_init(mctx, p);
++
++ mctx->pkp = apr_palloc(p, sizeof(*mctx->pkp));
++
++ mctx->pkp->cert_file = NULL;
++ mctx->pkp->cert_path = NULL;
++ mctx->pkp->ca_cert_file = NULL;
++ mctx->pkp->certs = NULL;
++ mctx->pkp->ca_certs = NULL;
++}
++
+ void *ssl_config_perdir_create(apr_pool_t *p, char *dir)
+ {
+ SSLDirConfigRec *dc = apr_palloc(p, sizeof(*dc));
+@@ -454,12 +440,14 @@ void *ssl_config_perdir_create(apr_pool_t *p, char
+ dc->nVerifyClient = SSL_CVERIFY_UNSET;
+ dc->nVerifyDepth = UNSET;
+
+- dc->szCACertificatePath = NULL;
+- dc->szCACertificateFile = NULL;
+ dc->szUserName = NULL;
+
+ dc->nRenegBufferSize = UNSET;
+
++ dc->proxy_enabled = UNSET;
++ modssl_ctx_init_proxy(dc, p);
++ dc->proxy_post_config = FALSE;
++
+ return dc;
+ }
+
+@@ -466,6 +454,19 @@ void *ssl_config_perdir_create(apr_pool_t *p, char
+ /*
+ * Merge per-directory SSL configurations
+ */
++
++static void modssl_ctx_cfg_merge_proxy(apr_pool_t *p,
++ modssl_ctx_t *base,
++ modssl_ctx_t *add,
++ modssl_ctx_t *mrg)
++{
++ modssl_ctx_cfg_merge(p, base, add, mrg);
++
++ cfgMergeString(pkp->cert_file);
++ cfgMergeString(pkp->cert_path);
++ cfgMergeString(pkp->ca_cert_file);
++}
++
+ void *ssl_config_perdir_merge(apr_pool_t *p, void *basev, void *addv)
+ {
+ SSLDirConfigRec *base = (SSLDirConfigRec *)basev;
+@@ -493,15 +494,38 @@ void *ssl_config_perdir_merge(apr_pool_t *p, void
+ cfgMerge(nVerifyClient, SSL_CVERIFY_UNSET);
+ cfgMergeInt(nVerifyDepth);
+
+- cfgMergeString(szCACertificatePath);
+- cfgMergeString(szCACertificateFile);
+ cfgMergeString(szUserName);
+
+ cfgMergeInt(nRenegBufferSize);
+
++ mrg->proxy_post_config = add->proxy_post_config;
++ if (!add->proxy_post_config) {
++ cfgMergeBool(proxy_enabled);
++ modssl_ctx_init_proxy(mrg, p);
++ modssl_ctx_cfg_merge_proxy(p, base->proxy, add->proxy, mrg->proxy);
++ }
++ else {
++ /* post_config hook has already merged and initialized the
++ * proxy context, use it.
++ */
++ mrg->proxy_enabled = add->proxy_enabled;
++ mrg->proxy = add->proxy;
++ }
++
+ return mrg;
+ }
+
++/* Simply merge conf with base into conf, no third party. */
++void ssl_config_proxy_merge(apr_pool_t *p,
++ SSLDirConfigRec *base,
++ SSLDirConfigRec *conf)
++{
++ if (conf->proxy_enabled == UNSET) {
++ conf->proxy_enabled = base->proxy_enabled;
++ }
++ modssl_ctx_cfg_merge_proxy(p, base->proxy, conf->proxy, conf->proxy);
++}
++
+ /*
+ * Configuration functions for particular directives
+ */
+@@ -1099,7 +1123,7 @@ const char *ssl_cmd_SSLVerifyClient(cmd_parms *cmd
+ {
+ SSLDirConfigRec *dc = (SSLDirConfigRec *)dcfg;
+ SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
+- ssl_verify_t mode;
++ ssl_verify_t mode = SSL_CVERIFY_NONE;
+ const char *err;
+
+ if ((err = ssl_cmd_verify_parse(cmd, arg, &mode))) {
+@@ -1444,9 +1468,9 @@ const char *ssl_cmd_SSLProtocol(cmd_parms *cmd,
+
+ const char *ssl_cmd_SSLProxyEngine(cmd_parms *cmd, void *dcfg, int flag)
+ {
+- SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
++ SSLDirConfigRec *dc = (SSLDirConfigRec *)dcfg;
+
+- sc->proxy_enabled = flag ? TRUE : FALSE;
++ dc->proxy_enabled = flag ? TRUE : FALSE;
+
+ return NULL;
+ }
+@@ -1455,10 +1479,10 @@ const char *ssl_cmd_SSLProxyProtocol(cmd_parms *cm
+ void *dcfg,
+ const char *arg)
+ {
+- SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
++ SSLDirConfigRec *dc = (SSLDirConfigRec *)dcfg;
+
+- sc->proxy->protocol_set = 1;
+- return ssl_cmd_protocol_parse(cmd, arg, &sc->proxy->protocol);
++ dc->proxy->protocol_set = 1;
++ return ssl_cmd_protocol_parse(cmd, arg, &dc->proxy->protocol);
+ }
+
+ const char *ssl_cmd_SSLProxyCipherSuite(cmd_parms *cmd,
+@@ -1465,12 +1489,12 @@ const char *ssl_cmd_SSLProxyCipherSuite(cmd_parms
+ void *dcfg,
+ const char *arg)
+ {
+- SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
++ SSLDirConfigRec *dc = (SSLDirConfigRec *)dcfg;
+
+ /* always disable null and export ciphers */
+ arg = apr_pstrcat(cmd->pool, arg, ":!aNULL:!eNULL:!EXP", NULL);
+
+- sc->proxy->auth.cipher_suite = arg;
++ dc->proxy->auth.cipher_suite = arg;
+
+ return NULL;
+ }
+@@ -1479,8 +1503,8 @@ const char *ssl_cmd_SSLProxyVerify(cmd_parms *cmd,
+ void *dcfg,
+ const char *arg)
+ {
+- SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
+- ssl_verify_t mode;
++ SSLDirConfigRec *dc = (SSLDirConfigRec *)dcfg;
++ ssl_verify_t mode = SSL_CVERIFY_NONE;
+ const char *err;
+
+ if ((err = ssl_cmd_verify_parse(cmd, arg, &mode))) {
+@@ -1487,7 +1511,7 @@ const char *ssl_cmd_SSLProxyVerify(cmd_parms *cmd,
+ return err;
+ }
+
+- sc->proxy->auth.verify_mode = mode;
++ dc->proxy->auth.verify_mode = mode;
+
+ return NULL;
+ }
+@@ -1496,7 +1520,7 @@ const char *ssl_cmd_SSLProxyVerifyDepth(cmd_parms
+ void *dcfg,
+ const char *arg)
+ {
+- SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
++ SSLDirConfigRec *dc = (SSLDirConfigRec *)dcfg;
+ int depth;
+ const char *err;
+
+@@ -1504,7 +1528,7 @@ const char *ssl_cmd_SSLProxyVerifyDepth(cmd_parms
+ return err;
+ }
+
+- sc->proxy->auth.verify_depth = depth;
++ dc->proxy->auth.verify_depth = depth;
+
+ return NULL;
+ }
+@@ -1513,7 +1537,7 @@ const char *ssl_cmd_SSLProxyCACertificateFile(cmd_
+ void *dcfg,
+ const char *arg)
+ {
+- SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
++ SSLDirConfigRec *dc = (SSLDirConfigRec *)dcfg;
+ const char *err;
+
+ if ((err = ssl_cmd_check_file(cmd, &arg))) {
+@@ -1520,7 +1544,7 @@ const char *ssl_cmd_SSLProxyCACertificateFile(cmd_
+ return err;
+ }
+
+- sc->proxy->auth.ca_cert_file = arg;
++ dc->proxy->auth.ca_cert_file = arg;
+
+ return NULL;
+ }
+@@ -1529,7 +1553,7 @@ const char *ssl_cmd_SSLProxyCACertificatePath(cmd_
+ void *dcfg,
+ const char *arg)
+ {
+- SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
++ SSLDirConfigRec *dc = (SSLDirConfigRec *)dcfg;
+ const char *err;
+
+ if ((err = ssl_cmd_check_dir(cmd, &arg))) {
+@@ -1536,7 +1560,7 @@ const char *ssl_cmd_SSLProxyCACertificatePath(cmd_
+ return err;
+ }
+
+- sc->proxy->auth.ca_cert_path = arg;
++ dc->proxy->auth.ca_cert_path = arg;
+
+ return NULL;
+ }
+@@ -1545,7 +1569,7 @@ const char *ssl_cmd_SSLProxyCARevocationPath(cmd_p
+ void *dcfg,
+ const char *arg)
+ {
+- SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
++ SSLDirConfigRec *dc = (SSLDirConfigRec *)dcfg;
+ const char *err;
+
+ if ((err = ssl_cmd_check_dir(cmd, &arg))) {
+@@ -1552,7 +1576,7 @@ const char *ssl_cmd_SSLProxyCARevocationPath(cmd_p
+ return err;
+ }
+
+- sc->proxy->crl_path = arg;
++ dc->proxy->crl_path = arg;
+
+ return NULL;
+ }
+@@ -1561,7 +1585,7 @@ const char *ssl_cmd_SSLProxyCARevocationFile(cmd_p
+ void *dcfg,
+ const char *arg)
+ {
+- SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
++ SSLDirConfigRec *dc = (SSLDirConfigRec *)dcfg;
+ const char *err;
+
+ if ((err = ssl_cmd_check_file(cmd, &arg))) {
+@@ -1568,7 +1592,7 @@ const char *ssl_cmd_SSLProxyCARevocationFile(cmd_p
+ return err;
+ }
+
+- sc->proxy->crl_file = arg;
++ dc->proxy->crl_file = arg;
+
+ return NULL;
+ }
+@@ -1577,9 +1601,9 @@ const char *ssl_cmd_SSLProxyCARevocationCheck(cmd_
+ void *dcfg,
+ const char *arg)
+ {
+- SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
++ SSLDirConfigRec *dc = (SSLDirConfigRec *)dcfg;
+
+- return ssl_cmd_crlcheck_parse(cmd, arg, &sc->proxy->crl_check_mask);
++ return ssl_cmd_crlcheck_parse(cmd, arg, &dc->proxy->crl_check_mask);
+ }
+
+ const char *ssl_cmd_SSLProxyMachineCertificateFile(cmd_parms *cmd,
+@@ -1586,7 +1610,7 @@ const char *ssl_cmd_SSLProxyMachineCertificateFile
+ void *dcfg,
+ const char *arg)
+ {
+- SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
++ SSLDirConfigRec *dc = (SSLDirConfigRec *)dcfg;
+ const char *err;
+
+ if ((err = ssl_cmd_check_file(cmd, &arg))) {
+@@ -1593,7 +1617,7 @@ const char *ssl_cmd_SSLProxyMachineCertificateFile
+ return err;
+ }
+
+- sc->proxy->pkp->cert_file = arg;
++ dc->proxy->pkp->cert_file = arg;
+
+ return NULL;
+ }
+@@ -1602,7 +1626,7 @@ const char *ssl_cmd_SSLProxyMachineCertificatePath
+ void *dcfg,
+ const char *arg)
+ {
+- SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
++ SSLDirConfigRec *dc = (SSLDirConfigRec *)dcfg;
+ const char *err;
+
+ if ((err = ssl_cmd_check_dir(cmd, &arg))) {
+@@ -1609,7 +1633,7 @@ const char *ssl_cmd_SSLProxyMachineCertificatePath
+ return err;
+ }
+
+- sc->proxy->pkp->cert_path = arg;
++ dc->proxy->pkp->cert_path = arg;
+
+ return NULL;
+ }
+@@ -1618,7 +1642,7 @@ const char *ssl_cmd_SSLProxyMachineCertificateChai
+ void *dcfg,
+ const char *arg)
+ {
+- SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
++ SSLDirConfigRec *dc = (SSLDirConfigRec *)dcfg;
+ const char *err;
+
+ if ((err = ssl_cmd_check_file(cmd, &arg))) {
+@@ -1625,7 +1649,7 @@ const char *ssl_cmd_SSLProxyMachineCertificateChai
+ return err;
+ }
+
+- sc->proxy->pkp->ca_cert_file = arg;
++ dc->proxy->pkp->ca_cert_file = arg;
+
+ return NULL;
+ }
+@@ -1735,9 +1759,9 @@ const char *ssl_cmd_SSLOCSPNoVerify(cmd_parms *cmd
+
+ const char *ssl_cmd_SSLProxyCheckPeerExpire(cmd_parms *cmd, void *dcfg, int flag)
+ {
+- SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
++ SSLDirConfigRec *dc = (SSLDirConfigRec *)dcfg;
+
+- sc->proxy_ssl_check_peer_expire = flag ? SSL_ENABLED_TRUE : SSL_ENABLED_FALSE;
++ dc->proxy->ssl_check_peer_expire = flag ? TRUE : FALSE;
+
+ return NULL;
+ }
+@@ -1744,9 +1768,9 @@ const char *ssl_cmd_SSLProxyCheckPeerExpire(cmd_pa
+
+ const char *ssl_cmd_SSLProxyCheckPeerCN(cmd_parms *cmd, void *dcfg, int flag)
+ {
+- SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
++ SSLDirConfigRec *dc = (SSLDirConfigRec *)dcfg;
+
+- sc->proxy_ssl_check_peer_cn = flag ? SSL_ENABLED_TRUE : SSL_ENABLED_FALSE;
++ dc->proxy->ssl_check_peer_cn = flag ? TRUE : FALSE;
+
+ return NULL;
+ }
+@@ -1753,9 +1777,9 @@ const char *ssl_cmd_SSLProxyCheckPeerCN(cmd_parms
+
+ const char *ssl_cmd_SSLProxyCheckPeerName(cmd_parms *cmd, void *dcfg, int flag)
+ {
+- SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
++ SSLDirConfigRec *dc = (SSLDirConfigRec *)dcfg;
+
+- sc->proxy_ssl_check_peer_name = flag ? SSL_ENABLED_TRUE : SSL_ENABLED_FALSE;
++ dc->proxy->ssl_check_peer_name = flag ? TRUE : FALSE;
+
+ return NULL;
+ }
+Index: modules/ssl/ssl_engine_init.c
+===================================================================
+--- modules/ssl/ssl_engine_init.c (revision 1813018)
++++ modules/ssl/ssl_engine_init.c (working copy)
+@@ -215,10 +215,6 @@ apr_status_t ssl_init_Module(apr_pool_t *p, apr_po
+ sc->server->sc = sc;
+ }
+
+- if (sc->proxy) {
+- sc->proxy->sc = sc;
+- }
+-
+ /*
+ * Create the server host:port string because we need it a lot
+ */
+@@ -238,9 +234,6 @@ apr_status_t ssl_init_Module(apr_pool_t *p, apr_po
+ if (sc->enabled == SSL_ENABLED_UNSET) {
+ sc->enabled = SSL_ENABLED_FALSE;
+ }
+- if (sc->proxy_enabled == UNSET) {
+- sc->proxy_enabled = FALSE;
+- }
+
+ if (sc->session_cache_timeout == UNSET) {
+ sc->session_cache_timeout = SSL_SESSION_CACHE_TIMEOUT;
+@@ -357,15 +350,19 @@ apr_status_t ssl_init_Module(apr_pool_t *p, apr_po
+ }
+
+ for (s = base_server; s; s = s->next) {
++ SSLDirConfigRec *sdc = ap_get_module_config(s->lookup_defaults,
++ &ssl_module);
++
+ sc = mySrvConfig(s);
+-
+ if (sc->enabled == SSL_ENABLED_TRUE || sc->enabled == SSL_ENABLED_OPTIONAL) {
+ if ((rv = ssl_run_init_server(s, p, 0, sc->server->ssl_ctx)) != APR_SUCCESS) {
+ return rv;
+ }
+ }
+- else if (sc->proxy_enabled == SSL_ENABLED_TRUE) {
+- if ((rv = ssl_run_init_server(s, p, 1, sc->proxy->ssl_ctx)) != APR_SUCCESS) {
++
++ if (sdc->proxy_enabled) {
++ rv = ssl_run_init_server(s, p, 1, sdc->proxy->ssl_ctx);
++ if (rv != APR_SUCCESS) {
+ return rv;
+ }
+ }
+@@ -1565,18 +1562,70 @@ static apr_status_t ssl_init_proxy_certs(server_re
+ return APR_SUCCESS;
+ }
+
++#define MODSSL_CFG_ITEM_FREE(func, item) \
++ if (item) { \
++ func(item); \
++ item = NULL; \
++ }
++
++static void ssl_init_ctx_cleanup(modssl_ctx_t *mctx)
++{
++ MODSSL_CFG_ITEM_FREE(SSL_CTX_free, mctx->ssl_ctx);
++
++#ifdef HAVE_SRP
++ if (mctx->srp_vbase != NULL) {
++ SRP_VBASE_free(mctx->srp_vbase);
++ mctx->srp_vbase = NULL;
++ }
++#endif
++}
++
++static apr_status_t ssl_cleanup_proxy_ctx(void *data)
++{
++ modssl_ctx_t *mctx = data;
++
++ ssl_init_ctx_cleanup(mctx);
++
++ if (mctx->pkp->certs) {
++ int i = 0;
++ int ncerts = sk_X509_INFO_num(mctx->pkp->certs);
++
++ if (mctx->pkp->ca_certs) {
++ for (i = 0; i < ncerts; i++) {
++ if (mctx->pkp->ca_certs[i] != NULL) {
++ sk_X509_pop_free(mctx->pkp->ca_certs[i], X509_free);
++ }
++ }
++ }
++
++ sk_X509_INFO_pop_free(mctx->pkp->certs, X509_INFO_free);
++ mctx->pkp->certs = NULL;
++ }
++
++ return APR_SUCCESS;
++}
++
+ static apr_status_t ssl_init_proxy_ctx(server_rec *s,
+ apr_pool_t *p,
+ apr_pool_t *ptemp,
+- SSLSrvConfigRec *sc)
++ modssl_ctx_t *proxy)
+ {
+ apr_status_t rv;
+
+- if ((rv = ssl_init_ctx(s, p, ptemp, sc->proxy)) != APR_SUCCESS) {
++ if (proxy->ssl_ctx) {
++ /* Merged/initialized already */
++ return APR_SUCCESS;
++ }
++
++ apr_pool_cleanup_register(p, proxy,
++ ssl_cleanup_proxy_ctx,
++ apr_pool_cleanup_null);
++
++ if ((rv = ssl_init_ctx(s, p, ptemp, proxy)) != APR_SUCCESS) {
+ return rv;
+ }
+
+- if ((rv = ssl_init_proxy_certs(s, p, ptemp, sc->proxy)) != APR_SUCCESS) {
++ if ((rv = ssl_init_proxy_certs(s, p, ptemp, proxy)) != APR_SUCCESS) {
+ return rv;
+ }
+
+@@ -1698,6 +1747,8 @@ apr_status_t ssl_init_ConfigureServer(server_rec *
+ SSLSrvConfigRec *sc,
+ apr_array_header_t *pphrases)
+ {
++ SSLDirConfigRec *sdc = ap_get_module_config(s->lookup_defaults,
++ &ssl_module);
+ apr_status_t rv;
+
+ /* Initialize the server if SSL is enabled or optional.
+@@ -1717,11 +1768,17 @@ apr_status_t ssl_init_ConfigureServer(server_rec *
+
+ }
+
+- if (sc->proxy_enabled) {
+- if ((rv = ssl_init_proxy_ctx(s, p, ptemp, sc)) != APR_SUCCESS) {
++ sdc->proxy->sc = sc;
++ if (sdc->proxy_enabled == TRUE) {
++ rv = ssl_init_proxy_ctx(s, p, ptemp, sdc->proxy);
++ if (rv != APR_SUCCESS) {
+ return rv;
+ }
+ }
++ else {
++ sdc->proxy_enabled = FALSE;
++ }
++ sdc->proxy_post_config = 1;
+
+ return APR_SUCCESS;
+ }
+@@ -1816,6 +1873,35 @@ apr_status_t ssl_init_CheckServers(server_rec *bas
+ return APR_SUCCESS;
+ }
+
++int ssl_proxy_section_post_config(apr_pool_t *p, apr_pool_t *plog,
++ apr_pool_t *ptemp, server_rec *s,
++ ap_conf_vector_t *section_config)
++{
++ SSLDirConfigRec *sdc = ap_get_module_config(s->lookup_defaults,
++ &ssl_module);
++ SSLDirConfigRec *pdc = ap_get_module_config(section_config,
++ &ssl_module);
++ if (pdc) {
++ pdc->proxy->sc = mySrvConfig(s);
++ ssl_config_proxy_merge(p, sdc, pdc);
++ if (pdc->proxy_enabled) {
++ apr_status_t rv;
++
++ rv = ssl_init_proxy_ctx(s, p, ptemp, pdc->proxy);
++ if (rv != APR_SUCCESS) {
++ return !OK;
++ }
++
++ rv = ssl_run_init_server(s, p, 1, pdc->proxy->ssl_ctx);
++ if (rv != APR_SUCCESS) {
++ return !OK;
++ }
++ }
++ pdc->proxy_post_config = 1;
++ }
++ return OK;
++}
++
+ static int ssl_init_FindCAList_X509NameCmp(const X509_NAME * const *a,
+ const X509_NAME * const *b)
+ {
+@@ -1943,45 +2029,6 @@ void ssl_init_Child(apr_pool_t *p, server_rec *s)
+ #endif
+ }
+
+-#define MODSSL_CFG_ITEM_FREE(func, item) \
+- if (item) { \
+- func(item); \
+- item = NULL; \
+- }
+-
+-static void ssl_init_ctx_cleanup(modssl_ctx_t *mctx)
+-{
+- MODSSL_CFG_ITEM_FREE(SSL_CTX_free, mctx->ssl_ctx);
+-
+-#ifdef HAVE_SRP
+- if (mctx->srp_vbase != NULL) {
+- SRP_VBASE_free(mctx->srp_vbase);
+- mctx->srp_vbase = NULL;
+- }
+-#endif
+-}
+-
+-static void ssl_init_ctx_cleanup_proxy(modssl_ctx_t *mctx)
+-{
+- ssl_init_ctx_cleanup(mctx);
+-
+- if (mctx->pkp->certs) {
+- int i = 0;
+- int ncerts = sk_X509_INFO_num(mctx->pkp->certs);
+-
+- if (mctx->pkp->ca_certs) {
+- for (i = 0; i < ncerts; i++) {
+- if (mctx->pkp->ca_certs[i] != NULL) {
+- sk_X509_pop_free(mctx->pkp->ca_certs[i], X509_free);
+- }
+- }
+- }
+-
+- sk_X509_INFO_pop_free(mctx->pkp->certs, X509_INFO_free);
+- mctx->pkp->certs = NULL;
+- }
+-}
+-
+ apr_status_t ssl_init_ModuleKill(void *data)
+ {
+ SSLSrvConfigRec *sc;
+@@ -2000,8 +2047,6 @@ apr_status_t ssl_init_ModuleKill(void *data)
+ for (s = base_server; s; s = s->next) {
+ sc = mySrvConfig(s);
+
+- ssl_init_ctx_cleanup_proxy(sc->proxy);
+-
+ ssl_init_ctx_cleanup(sc->server);
+
+ /* Not Sure but possibly clear X509 trusted cert file */
+Index: modules/ssl/ssl_engine_io.c
+===================================================================
+--- modules/ssl/ssl_engine_io.c (revision 1813018)
++++ modules/ssl/ssl_engine_io.c (working copy)
+@@ -1170,7 +1170,9 @@ static apr_status_t ssl_io_filter_handshake(ssl_fi
+ "proxy-request-hostname");
+ BOOL proxy_ssl_check_peer_ok = TRUE;
+ int post_handshake_rc = OK;
++ SSLDirConfigRec *dc;
+
++ dc = sslconn->dc;
+ sc = mySrvConfig(server);
+
+ #ifdef HAVE_TLSEXT
+@@ -1218,7 +1220,7 @@ static apr_status_t ssl_io_filter_handshake(ssl_fi
+ */
+ if (hostname_note &&
+ #ifndef OPENSSL_NO_SSL3
+- sc->proxy->protocol != SSL_PROTOCOL_SSLV3 &&
++ dc->proxy->protocol != SSL_PROTOCOL_SSLV3 &&
+ #endif
+ apr_ipsubnet_create(&ip, hostname_note, NULL,
+ c->pool) != APR_SUCCESS) {
+@@ -1247,7 +1249,7 @@ static apr_status_t ssl_io_filter_handshake(ssl_fi
+
+ cert = SSL_get_peer_certificate(filter_ctx->pssl);
+
+- if (sc->proxy_ssl_check_peer_expire != SSL_ENABLED_FALSE) {
++ if (dc->proxy->ssl_check_peer_expire != FALSE) {
+ if (!cert
+ || (X509_cmp_current_time(
+ X509_get_notBefore(cert)) >= 0)
+@@ -1258,9 +1260,9 @@ static apr_status_t ssl_io_filter_handshake(ssl_fi
+ "SSL Proxy: Peer certificate is expired");
+ }
+ }
+- if ((sc->proxy_ssl_check_peer_name != SSL_ENABLED_FALSE) &&
+- ((sc->proxy_ssl_check_peer_cn != SSL_ENABLED_FALSE) ||
+- (sc->proxy_ssl_check_peer_name == SSL_ENABLED_TRUE)) &&
++ if ((dc->proxy->ssl_check_peer_name != FALSE) &&
++ ((dc->proxy->ssl_check_peer_cn != FALSE) ||
++ (dc->proxy->ssl_check_peer_name == TRUE)) &&
+ hostname_note) {
+ apr_table_unset(c->notes, "proxy-request-hostname");
+ if (!cert
+@@ -1272,7 +1274,7 @@ static apr_status_t ssl_io_filter_handshake(ssl_fi
+ "for hostname %s", hostname_note);
+ }
+ }
+- else if ((sc->proxy_ssl_check_peer_cn == SSL_ENABLED_TRUE) &&
++ else if ((dc->proxy->ssl_check_peer_cn != FALSE) &&
+ hostname_note) {
+ const char *hostname;
+ int match = 0;
+Index: modules/ssl/ssl_engine_kernel.c
+===================================================================
+--- modules/ssl/ssl_engine_kernel.c (revision 1813018)
++++ modules/ssl/ssl_engine_kernel.c (working copy)
+@@ -1559,8 +1559,8 @@ int ssl_callback_SSLVerify(int ok, X509_STORE_CTX
+ server_rec *s = r ? r->server : mySrvFromConn(conn);
+
+ SSLSrvConfigRec *sc = mySrvConfig(s);
+- SSLDirConfigRec *dc = r ? myDirConfig(r) : NULL;
+ SSLConnRec *sslconn = myConnConfig(conn);
++ SSLDirConfigRec *dc = r ? myDirConfig(r) : sslconn->dc;
+ modssl_ctx_t *mctx = myCtxConfig(sslconn, sc);
+ int crl_check_mode = mctx->crl_check_mask & ~SSL_CRLCHECK_FLAGS;
+
+@@ -1752,11 +1752,12 @@ int ssl_callback_proxy_cert(SSL *ssl, X509 **x509,
+ conn_rec *c = (conn_rec *)SSL_get_app_data(ssl);
+ server_rec *s = mySrvFromConn(c);
+ SSLSrvConfigRec *sc = mySrvConfig(s);
++ SSLDirConfigRec *dc = myDirConfigFromConn(c);
+ X509_NAME *ca_name, *issuer, *ca_issuer;
+ X509_INFO *info;
+ X509 *ca_cert;
+ STACK_OF(X509_NAME) *ca_list;
+- STACK_OF(X509_INFO) *certs = sc->proxy->pkp->certs;
++ STACK_OF(X509_INFO) *certs;
+ STACK_OF(X509) *ca_certs;
+ STACK_OF(X509) **ca_cert_chains;
+ int i, j, k;
+@@ -1765,6 +1766,7 @@ int ssl_callback_proxy_cert(SSL *ssl, X509 **x509,
+ SSLPROXY_CERT_CB_LOG_FMT "entered",
+ sc->vhost_id);
+
++ certs = (dc && dc->proxy) ? dc->proxy->pkp->certs : NULL;
+ if (!certs || (sk_X509_INFO_num(certs) <= 0)) {
+ ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s, APLOGNO(02268)
+ SSLPROXY_CERT_CB_LOG_FMT
+@@ -1789,7 +1791,7 @@ int ssl_callback_proxy_cert(SSL *ssl, X509 **x509,
+ return TRUE;
+ }
+
+- ca_cert_chains = sc->proxy->pkp->ca_certs;
++ ca_cert_chains = dc->proxy->pkp->ca_certs;
+ for (i = 0; i < sk_X509_NAME_num(ca_list); i++) {
+ ca_name = sk_X509_NAME_value(ca_list, i);
+
+Index: modules/ssl/ssl_private.h
+===================================================================
+--- modules/ssl/ssl_private.h (revision 1813018)
++++ modules/ssl/ssl_private.h (working copy)
+@@ -296,14 +296,18 @@ APLOG_USE_MODULE(ssl);
+ #define strIsEmpty(s) (s == NULL || s[0] == NUL)
+
+ #define myConnConfig(c) \
+-(SSLConnRec *)ap_get_module_config(c->conn_config, &ssl_module)
+-#define myCtxConfig(sslconn, sc) (sslconn->is_proxy ? sc->proxy : sc->server)
++ ((SSLConnRec *)ap_get_module_config(c->conn_config, &ssl_module))
+ #define myConnConfigSet(c, val) \
+-ap_set_module_config(c->conn_config, &ssl_module, val)
+-#define mySrvConfig(srv) (SSLSrvConfigRec *)ap_get_module_config(srv->module_config, &ssl_module)
+-#define myDirConfig(req) (SSLDirConfigRec *)ap_get_module_config(req->per_dir_config, &ssl_module)
+-#define myModConfig(srv) (mySrvConfig((srv)))->mc
+-#define mySrvFromConn(c) (myConnConfig(c))->server
++ ap_set_module_config(c->conn_config, &ssl_module, val)
++#define mySrvConfig(srv) \
++ ((SSLSrvConfigRec *)ap_get_module_config(srv->module_config, &ssl_module))
++#define myDirConfig(req) \
++ ((SSLDirConfigRec *)ap_get_module_config(req->per_dir_config, &ssl_module))
++#define myCtxConfig(sslconn, sc) \
++ (sslconn->is_proxy ? sslconn->dc->proxy : sc->server)
++#define myModConfig(srv) mySrvConfig((srv))->mc
++#define mySrvFromConn(c) myConnConfig(c)->server
++#define myDirConfigFromConn(c) myConnConfig(c)->dc
+ #define mySrvConfigFromConn(c) mySrvConfig(mySrvFromConn(c))
+ #define myModConfigFromConn(c) myModConfig(mySrvFromConn(c))
+
+@@ -484,6 +488,9 @@ typedef struct {
+ * (i.e. the global configuration for each httpd process)
+ */
+
++typedef struct SSLSrvConfigRec SSLSrvConfigRec;
++typedef struct SSLDirConfigRec SSLDirConfigRec;
++
+ typedef enum {
+ SSL_SHUTDOWN_TYPE_UNSET,
+ SSL_SHUTDOWN_TYPE_STANDARD,
+@@ -522,6 +529,7 @@ typedef struct {
+ } reneg_state;
+
+ server_rec *server;
++ SSLDirConfigRec *dc;
+
+ const char *cipher_suite; /* cipher suite used in last reneg */
+ } SSLConnRec;
+@@ -642,8 +650,6 @@ typedef struct {
+ } ssl_ctx_param_t;
+ #endif
+
+-typedef struct SSLSrvConfigRec SSLSrvConfigRec;
+-
+ typedef struct {
+ SSLSrvConfigRec *sc; /** pointer back to server config */
+ SSL_CTX *ssl_ctx;
+@@ -711,12 +717,15 @@ typedef struct {
+ SSL_CONF_CTX *ssl_ctx_config; /* Configuration context */
+ apr_array_header_t *ssl_ctx_param; /* parameters to pass to SSL_CTX */
+ #endif
++
++ BOOL ssl_check_peer_cn;
++ BOOL ssl_check_peer_name;
++ BOOL ssl_check_peer_expire;
+ } modssl_ctx_t;
+
+ struct SSLSrvConfigRec {
+ SSLModConfigRec *mc;
+ ssl_enabled_t enabled;
+- BOOL proxy_enabled;
+ const char *vhost_id;
+ int vhost_id_len;
+ int session_cache_timeout;
+@@ -723,10 +732,6 @@ struct SSLSrvConfigRec {
+ BOOL cipher_server_pref;
+ BOOL insecure_reneg;
+ modssl_ctx_t *server;
+- modssl_ctx_t *proxy;
+- ssl_enabled_t proxy_ssl_check_peer_expire;
+- ssl_enabled_t proxy_ssl_check_peer_cn;
+- ssl_enabled_t proxy_ssl_check_peer_name;
+ #ifdef HAVE_TLSEXT
+ ssl_enabled_t strict_sni_vhost_check;
+ #endif
+@@ -744,7 +749,7 @@ struct SSLSrvConfigRec {
+ * (i.e. the local configuration for all <Directory>
+ * and .htaccess contexts)
+ */
+-typedef struct {
++struct SSLDirConfigRec {
+ BOOL bSSLRequired;
+ apr_array_header_t *aRequirement;
+ ssl_opt_t nOptions;
+@@ -753,12 +758,14 @@ struct SSLSrvConfigRec {
+ const char *szCipherSuite;
+ ssl_verify_t nVerifyClient;
+ int nVerifyDepth;
+- const char *szCACertificatePath;
+- const char *szCACertificateFile;
+ const char *szUserName;
+ apr_size_t nRenegBufferSize;
+-} SSLDirConfigRec;
+
++ modssl_ctx_t *proxy;
++ BOOL proxy_enabled;
++ BOOL proxy_post_config;
++};
++
+ /**
+ * function prototypes
+ */
+@@ -774,6 +781,8 @@ void *ssl_config_server_create(apr_pool_t *
+ void *ssl_config_server_merge(apr_pool_t *, void *, void *);
+ void *ssl_config_perdir_create(apr_pool_t *, char *);
+ void *ssl_config_perdir_merge(apr_pool_t *, void *, void *);
++void ssl_config_proxy_merge(apr_pool_t *,
++ SSLDirConfigRec *, SSLDirConfigRec *);
+ const char *ssl_cmd_SSLPassPhraseDialog(cmd_parms *, void *, const char *);
+ const char *ssl_cmd_SSLCryptoDevice(cmd_parms *, void *, const char *);
+ const char *ssl_cmd_SSLRandomSeed(cmd_parms *, void *, const char *, const char *, const char *);
+@@ -856,6 +865,9 @@ apr_status_t ssl_init_Engine(server_rec *, apr_poo
+ apr_status_t ssl_init_ConfigureServer(server_rec *, apr_pool_t *, apr_pool_t *, SSLSrvConfigRec *,
+ apr_array_header_t *);
+ apr_status_t ssl_init_CheckServers(server_rec *, apr_pool_t *);
++int ssl_proxy_section_post_config(apr_pool_t *p, apr_pool_t *plog,
++ apr_pool_t *ptemp, server_rec *s,
++ ap_conf_vector_t *section_config);
+ STACK_OF(X509_NAME)
[... 212 lines stripped ...]