mod_ssl because the SSL_CTX was created and configured for *every*
request. unlike in 2.0 where we configure the proxy SSL_CTX at
startup time, which is much better for performance. but we don't want
to configure a proxy context for every vhost if it isn't going to be
used, for the same reasons we don't create a server context for every
vhost unless SSLEngine is on.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@94314
13f79535-47bb-0310-9956-
ffa450edef68
/*
* Proxy configuration for remote SSL connections
*/
+ SSL_CMD_SRV(ProxyEngine, FLAG,
+ "SSL switch for the proxy protocol engine "
+ "(`on', `off')")
SSL_CMD_SRV(ProxyProtocol, RAW_ARGS,
"SSL Proxy: enable or disable SSL protocol flavors "
"(`[+-][SSLv2|SSLv3|TLSv1] ...' - see manual)")
int ssl_proxy_enable(conn_rec *c)
{
+ SSLSrvConfigRec *sc = mySrvConfig(c->base_server);
+
SSLConnRec *sslconn = ssl_init_connection_ctx(c);
+ if (!sc->proxy_enabled) {
+ ssl_log(c->base_server, SSL_LOG_ERROR,
+ "SSL Proxy requested for %s but not enabled "
+ "[Hint: SSLProxyEngine]", sc->vhost_id);
+
+ return 0;
+ }
+
sslconn->is_proxy = 1;
return 1;
struct SSLSrvConfigRec {
SSLModConfigRec *mc;
BOOL enabled;
+ BOOL proxy_enabled;
const char *vhost_id;
int vhost_id_len;
const char *log_file_name;
const char *ssl_cmd_SSLRequireSSL(cmd_parms *, void *);
const char *ssl_cmd_SSLRequire(cmd_parms *, void *, const char *);
+const char *ssl_cmd_SSLProxyEngine(cmd_parms *cmd, void *dcfg, int flag);
const char *ssl_cmd_SSLProxyProtocol(cmd_parms *, void *, const char *);
const char *ssl_cmd_SSLProxyCipherSuite(cmd_parms *, void *, const char *);
const char *ssl_cmd_SSLProxyVerify(cmd_parms *, void *, const char *);
sc->mc = NULL;
sc->enabled = UNSET;
+ sc->proxy_enabled = UNSET;
sc->vhost_id = NULL; /* set during module init */
sc->vhost_id_len = 0; /* set during module init */
sc->log_file_name = NULL;
cfgMerge(mc, NULL);
cfgMergeBool(enabled);
+ cfgMergeBool(proxy_enabled);
cfgMergeString(log_file_name);
cfgMerge(log_level, SSL_LOG_NONE);
cfgMergeInt(session_cache_timeout);
return ssl_cmd_protocol_parse(cmd, arg, &sc->server->protocol);
}
+const char *ssl_cmd_SSLProxyEngine(cmd_parms *cmd, void *dcfg, int flag)
+{
+ SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
+
+ sc->proxy_enabled = flag ? TRUE : FALSE;
+
+ return NULL;
+}
+
const char *ssl_cmd_SSLProxyProtocol(cmd_parms *cmd,
void *dcfg,
const char *arg)
sc->enabled = FALSE;
}
+ if (sc->proxy_enabled == UNSET) {
+ sc->proxy_enabled = FALSE;
+ }
+
if (sc->session_cache_timeout == UNSET) {
sc->session_cache_timeout = SSL_SESSION_CACHE_TIMEOUT;
}
ssl_init_server_ctx(s, p, ptemp, sc);
}
- if (1) { /* XXX: add directive */
+ if (sc->proxy_enabled) {
ssl_init_proxy_ctx(s, p, ptemp, sc);
}
}
projects / apache / commitdiff