add optional function (ssl_proxy_enable) to turn on ssl proxy

choose SSL_CTX based on SSLConnRec.is_proxy

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@94293 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/modules/ssl/mod_ssl.c b/modules/ssl/mod_ssl.c
index 3b9138752f86bcca59bf3e9b418c334eb3427594..3f007f8aa8d5bc82ded884b29a74c92100a9f679 100644 (file)
--- a/modules/ssl/mod_ssl.c
+++ b/modules/ssl/mod_ssl.c
@@ -215,24 +215,53 @@ static int ssl_hook_pre_config(apr_pool_t *pconf,
     return OK;
 }
 
+static SSLConnRec *ssl_init_connection_ctx(conn_rec *c)
+{
+    SSLConnRec *sslconn = myConnConfig(c);
+
+    if (sslconn) {
+        return sslconn;
+    }
+
+    sslconn = apr_pcalloc(c->pool, sizeof(*sslconn));
+
+    myConnConfigSet(c, sslconn);
+
+    return sslconn;
+}
+
+int ssl_proxy_enable(conn_rec *c)
+{
+    SSLConnRec *sslconn = ssl_init_connection_ctx(c);
+
+    sslconn->is_proxy = 1;
+
+    return 1;
+}
+
 static int ssl_hook_pre_connection(conn_rec *c, void *csd)
 {
     SSLSrvConfigRec *sc = mySrvConfig(c->base_server);
     SSL *ssl;
-    SSLConnRec *sslconn;
+    SSLConnRec *sslconn = myConnConfig(c);
+    modssl_ctx_t *mctx;
 
     /*
      * Immediately stop processing if SSL is disabled for this connection
      */
-    if (!(sc && sc->enabled)) {
+    if (!(sc && (sc->enabled ||
+                 (sslconn && sslconn->is_proxy))))
+    {
         return DECLINED;
     }
 
     /*
      * Create SSL context
      */
-    sslconn = apr_pcalloc(c->pool, sizeof(*sslconn));
-    myConnConfigSet(c, sslconn);
+    if (!sslconn) {
+        sslconn = ssl_init_connection_ctx(c);
+    }
+
     sslconn->log_level = sc->log_level;
 
     /*
@@ -250,12 +279,14 @@ static int ssl_hook_pre_connection(conn_rec *c, void *csd)
      */
     ssl_rand_seed(c->base_server, c->pool, SSL_RSCTX_CONNECT, "");
 
+    mctx = sslconn->is_proxy ? sc->proxy : sc->server;
+
     /*
      * Create a new SSL connection with the configured server SSL context and
      * attach this to the socket. Additionally we register this attachment
      * so we can detach later.
      */
-    if (!(ssl = SSL_new(sc->server->ssl_ctx))) {
+    if (!(ssl = SSL_new(mctx->ssl_ctx))) {
         ssl_log(c->base_server, SSL_LOG_ERROR|SSL_ADD_SSLERR,
                 "Unable to create a new SSL connection from the SSL context");
 
@@ -500,6 +531,8 @@ static void ssl_register_hooks(apr_pool_t *p)
     ap_hook_post_read_request(ssl_hook_ReadReq,    NULL,NULL, APR_HOOK_MIDDLE);
 
     ssl_var_register();
+
+    APR_REGISTER_OPTIONAL_FN(ssl_proxy_enable);
 }
 
 module AP_MODULE_DECLARE_DATA ssl_module = {

diff --git a/modules/ssl/mod_ssl.h b/modules/ssl/mod_ssl.h
index 619bc499a812e4950b71e8015031b7040cecab36..dc6f0122953e8352e54b06099b725a3446512edd 100644 (file)
--- a/modules/ssl/mod_ssl.h
+++ b/modules/ssl/mod_ssl.h
@@ -430,6 +430,7 @@ typedef struct {
     const char *verify_error;
     int verify_depth;
     int log_level; /* for avoiding expensive logging */
+    int is_proxy;
 } SSLConnRec;
 
 #define SSLConnLogApplies(sslconn, level) (sslconn->log_level >= level)
@@ -713,6 +714,11 @@ APR_DECLARE_OPTIONAL_FN(char *, ssl_var_lookup,
                          conn_rec *, request_rec *,
                          char *));
 
+/* Proxy Support */
+int ssl_proxy_enable(conn_rec *c);
+
+APR_DECLARE_OPTIONAL_FN(int, ssl_proxy_enable, (conn_rec *));
+
 /*  I/O  */
 void         ssl_io_filter_init(conn_rec *, SSL *);
 void         ssl_io_filter_register(apr_pool_t *);