From 56111a692a985a9a1cdfdc350af36ec1da8fc5fd Mon Sep 17 00:00:00 2001 From: Yann Ylavic Date: Tue, 19 Dec 2017 22:46:27 +0000 Subject: [PATCH] mod_proxy: allow SSLProxyCheckPeer* usage for all proxy modules. PR 61857. Proposed by: Markus Gausling Reviewed by: ylavic git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1818726 13f79535-47bb-0310-9956-ffa450edef68 --- CHANGES | 3 +++ modules/http2/mod_proxy_http2.c | 21 ++++++--------------- modules/proxy/mod_proxy_http.c | 11 ----------- modules/proxy/proxy_util.c | 7 +++++++ 4 files changed, 16 insertions(+), 26 deletions(-) diff --git a/CHANGES b/CHANGES index 4bccfd0149..1fc9f35219 100644 --- a/CHANGES +++ b/CHANGES @@ -1,6 +1,9 @@ -*- coding: utf-8 -*- Changes with Apache 2.5.1 + *) mod_proxy: allow SSLProxyCheckPeer* usage for all proxy modules. + PR 61857. [Yann Ylavic] + *) mod_proxy_html: fix handling of elements. PR 58121. [Nick Kew] diff --git a/modules/http2/mod_proxy_http2.c b/modules/http2/mod_proxy_http2.c index 41370a2185..ad2af74fde 100644 --- a/modules/http2/mod_proxy_http2.c +++ b/modules/http2/mod_proxy_http2.c @@ -588,21 +588,12 @@ run_connect: goto reconnect; } - if (!ctx->p_conn->data) { - /* New conection: set a note on the connection what CN is - * requested and what protocol we want */ - if (ctx->p_conn->ssl_hostname) { - ap_log_cerror(APLOG_MARK, APLOG_TRACE1, status, ctx->owner, - "set SNI to %s for (%s)", - ctx->p_conn->ssl_hostname, - ctx->p_conn->hostname); - apr_table_setn(ctx->p_conn->connection->notes, - "proxy-request-hostname", ctx->p_conn->ssl_hostname); - } - if (ctx->is_ssl) { - apr_table_setn(ctx->p_conn->connection->notes, - "proxy-request-alpn-protos", "h2"); - } + if (!ctx->p_conn->data && ctx->is_ssl) { + /* New SSL connection: set a note on the connection about what + * protocol we want. + */ + apr_table_setn(ctx->p_conn->connection->notes, + "proxy-request-alpn-protos", "h2"); } } diff --git a/modules/proxy/mod_proxy_http.c b/modules/proxy/mod_proxy_http.c index 0acab13892..ab230049a1 100644 --- a/modules/proxy/mod_proxy_http.c +++ b/modules/proxy/mod_proxy_http.c @@ -2086,17 +2086,6 @@ static int proxy_http_handler(request_rec *r, proxy_worker *worker, backend, r)) != OK) break; backconn = backend->connection; - - /* - * On SSL connections set a note on the connection what CN is - * requested, such that mod_ssl can check if it is requested to do - * so. - */ - if (backend->ssl_hostname) { - apr_table_setn(backend->connection->notes, - "proxy-request-hostname", - backend->ssl_hostname); - } } /* Don't recycle the connection if prefetch (above) told not to do so */ diff --git a/modules/proxy/proxy_util.c b/modules/proxy/proxy_util.c index 74b25c6721..1418fc9a1c 100644 --- a/modules/proxy/proxy_util.c +++ b/modules/proxy/proxy_util.c @@ -3105,6 +3105,13 @@ static int proxy_connection_create(const char *proxy_function, backend_addr, conn->hostname); return HTTP_INTERNAL_SERVER_ERROR; } + if (conn->ssl_hostname) { + /* Set a note on the connection about what CN is requested, + * such that mod_ssl can check if it is requested to do so. + */ + apr_table_setn(conn->connection->notes, "proxy-request-hostname", + conn->ssl_hostname); + } } else { /* TODO: See if this will break FTP */ -- 2.40.0