mod_proxy: allow SSLProxyCheckPeer* usage for all proxy modules.

PR 61857.

Proposed by: Markus Gausling <markusgausling googlemail.com>
Reviewed by: ylavic

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1818726 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/CHANGES b/CHANGES
index 4bccfd0149b23ebe859ea2c44783760150bc8c61..1fc9f35219e5fd2904c2fc152527bdafa12954da 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,6 +1,9 @@
                                                          -*- coding: utf-8 -*-
 Changes with Apache 2.5.1
 
+  *) mod_proxy: allow SSLProxyCheckPeer* usage for all proxy modules.
+     PR 61857.  [Yann Ylavic]
+
   *) mod_proxy_html: fix handling of <meta http-equiv> elements.
      PR 58121.  [Nick Kew]
 

diff --git a/modules/http2/mod_proxy_http2.c b/modules/http2/mod_proxy_http2.c
index 41370a218588bffd14c02f23dc35acea47ad9e2f..ad2af74fdec1a6b5e5dc23449c54567432a95af4 100644 (file)
--- a/modules/http2/mod_proxy_http2.c
+++ b/modules/http2/mod_proxy_http2.c
@@ -588,21 +588,12 @@ run_connect:
             goto reconnect;
         }
         
-        if (!ctx->p_conn->data) {
-            /* New conection: set a note on the connection what CN is
-             * requested and what protocol we want */
-            if (ctx->p_conn->ssl_hostname) {
-                ap_log_cerror(APLOG_MARK, APLOG_TRACE1, status, ctx->owner, 
-                              "set SNI to %s for (%s)", 
-                              ctx->p_conn->ssl_hostname, 
-                              ctx->p_conn->hostname);
-                apr_table_setn(ctx->p_conn->connection->notes,
-                               "proxy-request-hostname", ctx->p_conn->ssl_hostname);
-            }
-            if (ctx->is_ssl) {
-                apr_table_setn(ctx->p_conn->connection->notes,
-                               "proxy-request-alpn-protos", "h2");
-            }
+        if (!ctx->p_conn->data && ctx->is_ssl) {
+            /* New SSL connection: set a note on the connection about what
+             * protocol we want.
+             */
+            apr_table_setn(ctx->p_conn->connection->notes,
+                           "proxy-request-alpn-protos", "h2");
         }
     }
 

diff --git a/modules/proxy/mod_proxy_http.c b/modules/proxy/mod_proxy_http.c
index 0acab13892fb14bf593ad67530ac5a843e186d23..ab230049a195160bd5d583e87b1e0d26fdd19efa 100644 (file)
--- a/modules/proxy/mod_proxy_http.c
+++ b/modules/proxy/mod_proxy_http.c
@@ -2086,17 +2086,6 @@ static int proxy_http_handler(request_rec *r, proxy_worker *worker,
                                                         backend, r)) != OK)
                 break;
             backconn = backend->connection;
-
-            /*
-             * On SSL connections set a note on the connection what CN is
-             * requested, such that mod_ssl can check if it is requested to do
-             * so.
-             */
-            if (backend->ssl_hostname) {
-                apr_table_setn(backend->connection->notes,
-                               "proxy-request-hostname",
-                               backend->ssl_hostname);
-            }
         }
 
         /* Don't recycle the connection if prefetch (above) told not to do so */

diff --git a/modules/proxy/proxy_util.c b/modules/proxy/proxy_util.c
index 74b25c67219dd7f83da90b2f2728eebd8cc9832d..1418fc9a1c999b82017846af072960b814431e92 100644 (file)
--- a/modules/proxy/proxy_util.c
+++ b/modules/proxy/proxy_util.c
@@ -3105,6 +3105,13 @@ static int proxy_connection_create(const char *proxy_function,
                          backend_addr, conn->hostname);
             return HTTP_INTERNAL_SERVER_ERROR;
         }
+        if (conn->ssl_hostname) {
+            /* Set a note on the connection about what CN is requested,
+             * such that mod_ssl can check if it is requested to do so.
+             */
+            apr_table_setn(conn->connection->notes, "proxy-request-hostname",
+                           conn->ssl_hostname);
+        }
     }
     else {
         /* TODO: See if this will break FTP */