Re: Allowing modules to add input filters is broken

[Ben Laurie <be...@algroup.co.uk>]

Bill Stoddard wrote:
> 
> > rbb@covalent.net wrote:
> > >
> > > On Sun, 20 May 2001, Ben Laurie wrote:
> > >
> > > > Bill Stoddard wrote:
> > > > > As I (and now Ryan) have pointed out, the only way to filter headers
> is to
> > > > > hook the pre_connection hook.  But this is a really bad idea for
> reasons
> > > > > mentioned in both of our previous posts.
> > > >
> > > > What about mod_tls?
> > >
> > > Mod_tls should check the port in the pre_connection phase, and add the
> tls
> > > filter if the port is an SSL enabled virtual host.
> >
> > I know. That was my point!
> >
> 
> What was your point? Guess I didn't get it. One question though... How do
> you know if "the port is an SSL enabled virtual host" (your words not mine)?

Actually, they were Ryan's.

> Seems the best you can do is to know that the port  is an SSL port (via a
> server wide config) You cannot know in the pre_config hook which VH the
> request belongs to.

My point was that mod_tls has to do its thing in the pre_connection
phase, which isn't compatible with "but this is a really bad idea for
reasons mentioned in both of our previous posts".

And you can know which VH to the level SSL can care about, since it is
purely IP/port based (if we ignore the upgrade header, which is a
different thing that no browser implements [which is not to say we
shouldn't, of course]).

Cheers,

Ben.

--
http://www.apache-ssl.org/ben.html

"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff