let proxy handler forward ALPN protocol strings for ssl proxy connections
Remove leftover comment
APLOGNO update for mod_proxy_http2
fix APLOGNO at wrong place, me stupid
h2_proxy_session: fill in missing APLOGNO()s.
Submitted by: icing, jailletc36, icing, icing, ylavic
Reviewed/backported by: jim
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@
1743576 13f79535-47bb-0310-9956-
ffa450edef68
*) mod_authz_host: Add a new "forward-dns" authorization type, not relying on
reverse DNS lookups. [Fabien]
+ *) mod_proxy_http2: new experimental http2 proxy module for h2: and h2c: proxy
+ urls. Uses backend connections for concurrent requests if frontend
+ connection is http2 as well.
+ [Stefan Eissing]
+
*) mod_ssl: Add hooks to allow other modules to perform processing at
several stages of initialization and connection handling. See
mod_ssl_openssl.h. [Jeff Trawick]
PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
[ start all new proposals below, under PATCHES PROPOSED. ]
- *) mod_proxy_http2: add http2 proxy support in new, experimental module.
- Includes backport of r1729208 to set ALPN protocols for ssl backend
- connections.
- Trunk version of patch: <various>
- Backport version for 2.4.x of patch: https://www.eissing.org/proxy_http2_2.4v4.patch
- +1: icing, ylavic, jim
- updated patch after review by cjaillet, merged 1735668,1735748 from trunk
- updated patch with APLOGNOs by merging 1735931,1735935 from trunk
- updated patch with APLOGNOs by merging 1735942 from trunk
-
PATCHES PROPOSED TO BACKPORT FROM TRUNK:
[ New proposals should be added at the end of the list ]
#
TARGET_nlm = \
$(OBJDIR)/mod_http2.nlm \
- $(OBJDIR)/mod_http2.nlm \
+ $(OBJDIR)/proxyht2.nlm \
$(EOLIST)
#
+dnl # list of module object files
+proxy_http2_objs="dnl
+mod_proxy_http2.lo dnl
+h2_int_queue.lo dnl
+h2_proxy_session.lo dnl
+h2_request.lo dnl
+h2_util.lo dnl
+"
+
+dnl # hook module into the Autoconf mechanism (--enable-proxy_http2)
+APACHE_MODULE(proxy_http2, [HTTP/2 proxy module. This module requires a libnghttp2 installation.
+See --with-nghttp2 on how to manage non-standard locations. Also requires --enable-proxy.], $proxy_http2_objs, , no, [
+ APACHE_CHECK_NGHTTP2
+ if test "$ac_cv_nghttp2" = "yes" ; then
+ if test "x$enable_http2" = "xshared"; then
+ # The only symbol which needs to be exported is the module
+ # structure, so ask libtool to hide everything else:
+ APR_ADDTO(MOD_PROXY_HTTP2_LDADD, [-export-symbols-regex proxy_http2_module])
+ fi
+ else
+ enable_proxy_http2=no
+ fi
+], proxy)
+
+
dnl # end of module specific part
APACHE_MODPATH_FINISH
case H2_SESSION_ST_WAIT:
transit(session, "data read", H2_SESSION_ST_BUSY);
break;
- /* fall through */
default:
/* nop */
break;
if (sslconn->is_proxy) {
#ifdef HAVE_TLSEXT
apr_ipsubnet_t *ip;
+#ifdef HAVE_TLS_ALPN
+ const char *alpn_note;
+#endif
#endif
const char *hostname_note = apr_table_get(c->notes,
"proxy-request-hostname");
sc = mySrvConfig(server);
#ifdef HAVE_TLSEXT
+#ifdef HAVE_TLS_ALPN
+ alpn_note = apr_table_get(c->notes, "proxy-request-alpn-protos");
+ if (alpn_note) {
+ char *protos, *s, *p, *last;
+ apr_size_t len;
+
+ s = protos = apr_pcalloc(c->pool, strlen(alpn_note)+1);
+ p = apr_pstrdup(c->pool, alpn_note);
+ while ((p = apr_strtok(p, ", ", &last))) {
+ len = last - p - (*last? 1 : 0);
+ if (len > 255) {
+ ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, APLOGNO(03309)
+ "ALPN proxy protocol identifier too long: %s",
+ p);
+ ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, server);
+ return APR_EGENERAL;
+ }
+ *s++ = (unsigned char)len;
+ while (len--) {
+ *s++ = *p++;
+ }
+ p = NULL;
+ }
+ ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, c,
+ "setting alpn protos from '%s', protolen=%d",
+ alpn_note, (int)(s - protos));
+ if (protos != s && SSL_set_alpn_protos(filter_ctx->pssl,
+ (unsigned char *)protos,
+ s - protos)) {
+ ap_log_cerror(APLOG_MARK, APLOG_WARNING, 0, c, APLOGNO(03310)
+ "error setting alpn protos from '%s'", alpn_note);
+ ssl_log_ssl_error(SSLLOG_MARK, APLOG_WARNING, server);
+ }
+ }
+#endif /* defined HAVE_TLS_ALPN */
/*
* Enable SNI for backend requests. Make sure we don't do it for
* pure SSLv3 connections, and also prevent IP addresses
projects / apache / commitdiff