fix ProxyPass when frontend is https and backend is http

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@94515 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/CHANGES b/CHANGES
index 062f5d654855581f8ec2a8385d48cc9c44c159d6..946d35b6024821b19756741ea867dd4cc6ba5903 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,5 +1,8 @@
 Changes with Apache 2.0.36
 
+  *) fix ProxyPass when frontend is https and backend is http
+     [Doug MacEachern]
+
 Changes with Apache 2.0.35
 
   *) mod_rewrite: updated to use the new APR global mutex type.

diff --git a/modules/proxy/mod_proxy.c b/modules/proxy/mod_proxy.c
index cb9c6ea247e7e119ea7c92a0a08673335067a63b..a76987834806598251c124be56a939ede90e5a4b 100644 (file)
--- a/modules/proxy/mod_proxy.c
+++ b/modules/proxy/mod_proxy.c
@@ -1048,8 +1048,10 @@ static const command_rec proxy_cmds[] =
 };
 
 APR_DECLARE_OPTIONAL_FN(int, ssl_proxy_enable, (conn_rec *));
+APR_DECLARE_OPTIONAL_FN(int, ssl_engine_disable, (conn_rec *));
 
 static APR_OPTIONAL_FN_TYPE(ssl_proxy_enable) *proxy_ssl_enable = NULL;
+static APR_OPTIONAL_FN_TYPE(ssl_engine_disable) *proxy_ssl_disable = NULL;
 
 PROXY_DECLARE(int) ap_proxy_ssl_enable(conn_rec *c)
 {
@@ -1064,10 +1066,20 @@ PROXY_DECLARE(int) ap_proxy_ssl_enable(conn_rec *c)
     return 0;
 }
 
+PROXY_DECLARE(int) ap_proxy_ssl_disable(conn_rec *c)
+{
+    if (proxy_ssl_disable) {
+        return proxy_ssl_disable(c);
+    }
+
+    return 0;
+}
+
 static int proxy_post_config(apr_pool_t *pconf, apr_pool_t *plog,
                              apr_pool_t *ptemp, server_rec *s)
 {
     proxy_ssl_enable = APR_RETRIEVE_OPTIONAL_FN(ssl_proxy_enable);
+    proxy_ssl_disable = APR_RETRIEVE_OPTIONAL_FN(ssl_engine_disable);
 
     return OK;
 }

diff --git a/modules/proxy/mod_proxy.h b/modules/proxy/mod_proxy.h
index 1e0fc79ccd6d8f0c8f0be7de2588429152e9c37d..4caa93b3c0f8a1cc08e3aaccb290a90b4d6433b6 100644 (file)
--- a/modules/proxy/mod_proxy.h
+++ b/modules/proxy/mod_proxy.h
@@ -274,5 +274,6 @@ PROXY_DECLARE(apr_status_t) ap_proxy_string_read(conn_rec *c, apr_bucket_brigade
 PROXY_DECLARE(void) ap_proxy_table_unmerge(apr_pool_t *p, apr_table_t *t, char *key);
 PROXY_DECLARE(int) ap_proxy_connect_to_backend(apr_socket_t **, const char *, apr_sockaddr_t *, const char *, proxy_server_conf *, server_rec *, apr_pool_t *);
 PROXY_DECLARE(int) ap_proxy_ssl_enable(conn_rec *c);
+PROXY_DECLARE(int) ap_proxy_ssl_disable(conn_rec *c);
 
 #endif /*MOD_PROXY_H*/

diff --git a/modules/proxy/proxy_http.c b/modules/proxy/proxy_http.c
index 3db1d5cf9e75324266cccb224c138cf378a29bfa..52437041ebe78518bd1d28613b0dee3116c366cc 100644 (file)
--- a/modules/proxy/proxy_http.c
+++ b/modules/proxy/proxy_http.c
@@ -389,11 +389,16 @@ apr_status_t ap_proxy_http_create_connection(apr_pool_t *p, request_rec *r,
         backend->hostname = apr_pstrdup(c->pool, p_conn->name);
         backend->port = p_conn->port;
 
-        if (backend->is_ssl && !ap_proxy_ssl_enable(backend->connection)) {
-            ap_log_error(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0,
-                         r->server, "proxy: failed to enable ssl support "
-                         "for %pI (%s)", p_conn->addr, p_conn->name);
-            return HTTP_INTERNAL_SERVER_ERROR;
+        if (backend->is_ssl) {
+            if (!ap_proxy_ssl_enable(backend->connection)) {
+                ap_log_error(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0,
+                             r->server, "proxy: failed to enable ssl support "
+                             "for %pI (%s)", p_conn->addr, p_conn->name);
+                return HTTP_INTERNAL_SERVER_ERROR;
+            }
+        }
+        else {
+            ap_proxy_ssl_disable(backend->connection);
         }
 
         ap_log_error(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, r->server,

diff --git a/modules/ssl/mod_ssl.c b/modules/ssl/mod_ssl.c
index 1bf3fa949b337a2aea1e631a17bd8cc350a1e00f..c1a0c27163517b049b692ac44205e676a4bb32b8 100644 (file)
--- a/modules/ssl/mod_ssl.c
+++ b/modules/ssl/mod_ssl.c
@@ -252,6 +252,24 @@ int ssl_proxy_enable(conn_rec *c)
     }
 
     sslconn->is_proxy = 1;
+    sslconn->disabled = 0;
+
+    return 1;
+}
+
+int ssl_engine_disable(conn_rec *c)
+{
+    SSLSrvConfigRec *sc = mySrvConfig(c->base_server);
+
+    SSLConnRec *sslconn;
+
+    if (!sc->enabled) {
+        return 0;
+    }
+
+    sslconn = ssl_init_connection_ctx(c);
+
+    sslconn->disabled = 1;
 
     return 1;
 }
@@ -279,6 +297,10 @@ static int ssl_hook_pre_connection(conn_rec *c, void *csd)
         sslconn = ssl_init_connection_ctx(c);
     }
 
+    if (sslconn->disabled) {
+        return DECLINED;
+    }
+
     sslconn->log_level = sc->log_level;
 
     /*
@@ -560,6 +582,7 @@ static void ssl_register_hooks(apr_pool_t *p)
     ssl_var_register();
 
     APR_REGISTER_OPTIONAL_FN(ssl_proxy_enable);
+    APR_REGISTER_OPTIONAL_FN(ssl_engine_disable);
 }
 
 module AP_MODULE_DECLARE_DATA ssl_module = {

diff --git a/modules/ssl/mod_ssl.h b/modules/ssl/mod_ssl.h
index 6388164b7aeba68273bc7ace3ecc2e01a669066a..558ef7f7ae6b64e185d71fec8a6830fa431b91e0 100644 (file)
--- a/modules/ssl/mod_ssl.h
+++ b/modules/ssl/mod_ssl.h
@@ -432,6 +432,7 @@ typedef struct {
     int verify_depth;
     int log_level; /* for avoiding expensive logging */
     int is_proxy;
+    int disabled;
 } SSLConnRec;
 
 #define SSLConnLogApplies(sslconn, level) (sslconn->log_level >= level)
@@ -722,9 +723,12 @@ APR_DECLARE_OPTIONAL_FN(char *, ssl_var_lookup,
 
 /* Proxy Support */
 int ssl_proxy_enable(conn_rec *c);
+int ssl_engine_disable(conn_rec *c);
 
 APR_DECLARE_OPTIONAL_FN(int, ssl_proxy_enable, (conn_rec *));
 
+APR_DECLARE_OPTIONAL_FN(int, ssl_engine_disable, (conn_rec *));
+
 /*  I/O  */
 void         ssl_io_filter_init(conn_rec *, SSL *);
 void         ssl_io_filter_register(apr_pool_t *);