From 5e1c0e2c154c8008c81364f523df76f7d9448e08 Mon Sep 17 00:00:00 2001
From: Doug MacEachern <dougm@apache.org>
Date: Fri, 29 Mar 2002 17:56:33 +0000
Subject: [PATCH] add SSLProxyEngine directive.  this was not required in the
 1.x based mod_ssl because the SSL_CTX was created and configured for *every*
 request.  unlike in 2.0 where we configure the proxy SSL_CTX at startup time,
 which is much better for performance.  but we don't want to configure a proxy
 context for every vhost if it isn't going to be used, for the same reasons we
 don't create a server context for every vhost unless SSLEngine is on.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@94314 13f79535-47bb-0310-9956-ffa450edef68
---
 modules/ssl/mod_ssl.c           | 13 +++++++++++++
 modules/ssl/mod_ssl.h           |  2 ++
 modules/ssl/ssl_engine_config.c | 11 +++++++++++
 modules/ssl/ssl_engine_init.c   |  6 +++++-
 4 files changed, 31 insertions(+), 1 deletion(-)

diff --git a/modules/ssl/mod_ssl.c b/modules/ssl/mod_ssl.c
index da4dfdc161..5fd48807db 100644
--- a/modules/ssl/mod_ssl.c
+++ b/modules/ssl/mod_ssl.c
@@ -154,6 +154,9 @@ static const command_rec ssl_config_cmds[] = {
     /* 
      * Proxy configuration for remote SSL connections
      */
+    SSL_CMD_SRV(ProxyEngine, FLAG,
+                "SSL switch for the proxy protocol engine "
+                "(`on', `off')")
     SSL_CMD_SRV(ProxyProtocol, RAW_ARGS,
                "SSL Proxy: enable or disable SSL protocol flavors "
                "(`[+-][SSLv2|SSLv3|TLSv1] ...' - see manual)")
@@ -230,8 +233,18 @@ static SSLConnRec *ssl_init_connection_ctx(conn_rec *c)
 
 int ssl_proxy_enable(conn_rec *c)
 {
+    SSLSrvConfigRec *sc = mySrvConfig(c->base_server);
+
     SSLConnRec *sslconn = ssl_init_connection_ctx(c);
 
+    if (!sc->proxy_enabled) {
+        ssl_log(c->base_server, SSL_LOG_ERROR,
+                "SSL Proxy requested for %s but not enabled "
+                "[Hint: SSLProxyEngine]", sc->vhost_id);
+
+        return 0;
+    }
+
     sslconn->is_proxy = 1;
 
     return 1;
diff --git a/modules/ssl/mod_ssl.h b/modules/ssl/mod_ssl.h
index dc6f012295..2a00bb4ee9 100644
--- a/modules/ssl/mod_ssl.h
+++ b/modules/ssl/mod_ssl.h
@@ -522,6 +522,7 @@ typedef struct {
 struct SSLSrvConfigRec {
     SSLModConfigRec *mc;
     BOOL             enabled;
+    BOOL             proxy_enabled;
     const char      *vhost_id;
     int              vhost_id_len;
     const char      *log_file_name;
@@ -589,6 +590,7 @@ const char  *ssl_cmd_SSLOptions(cmd_parms *, void *, const char *);
 const char  *ssl_cmd_SSLRequireSSL(cmd_parms *, void *);
 const char  *ssl_cmd_SSLRequire(cmd_parms *, void *, const char *);
 
+const char *ssl_cmd_SSLProxyEngine(cmd_parms *cmd, void *dcfg, int flag);
 const char  *ssl_cmd_SSLProxyProtocol(cmd_parms *, void *, const char *);
 const char  *ssl_cmd_SSLProxyCipherSuite(cmd_parms *, void *, const char *);
 const char  *ssl_cmd_SSLProxyVerify(cmd_parms *, void *, const char *);
diff --git a/modules/ssl/ssl_engine_config.c b/modules/ssl/ssl_engine_config.c
index 0ca27b9d65..5e659eef52 100644
--- a/modules/ssl/ssl_engine_config.c
+++ b/modules/ssl/ssl_engine_config.c
@@ -206,6 +206,7 @@ static SSLSrvConfigRec *ssl_config_server_new(apr_pool_t *p)
 
     sc->mc                     = NULL;
     sc->enabled                = UNSET;
+    sc->proxy_enabled          = UNSET;
     sc->vhost_id               = NULL;  /* set during module init */
     sc->vhost_id_len           = 0;     /* set during module init */
     sc->log_file_name          = NULL;
@@ -294,6 +295,7 @@ void *ssl_config_server_merge(apr_pool_t *p, void *basev, void *addv)
 
     cfgMerge(mc, NULL);
     cfgMergeBool(enabled);
+    cfgMergeBool(proxy_enabled);
     cfgMergeString(log_file_name);
     cfgMerge(log_level, SSL_LOG_NONE);
     cfgMergeInt(session_cache_timeout);
@@ -1257,6 +1259,15 @@ const char *ssl_cmd_SSLProtocol(cmd_parms *cmd,
     return ssl_cmd_protocol_parse(cmd, arg, &sc->server->protocol);
 }
 
+const char *ssl_cmd_SSLProxyEngine(cmd_parms *cmd, void *dcfg, int flag)
+{
+    SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
+
+    sc->proxy_enabled = flag ? TRUE : FALSE;
+
+    return NULL;
+}
+
 const char *ssl_cmd_SSLProxyProtocol(cmd_parms *cmd, 
                                      void *dcfg,
                                      const char *arg)
diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c
index 6d9448a6c9..b065cf9f2e 100644
--- a/modules/ssl/ssl_engine_init.c
+++ b/modules/ssl/ssl_engine_init.c
@@ -243,6 +243,10 @@ int ssl_init_Module(apr_pool_t *p, apr_pool_t *plog,
             sc->enabled = FALSE;
         }
 
+        if (sc->proxy_enabled == UNSET) {
+            sc->proxy_enabled = FALSE;
+        }
+
         if (sc->session_cache_timeout == UNSET) {
             sc->session_cache_timeout = SSL_SESSION_CACHE_TIMEOUT;
         }
@@ -929,7 +933,7 @@ void ssl_init_ConfigureServer(server_rec *s,
         ssl_init_server_ctx(s, p, ptemp, sc);
     }
 
-    if (1) { /* XXX: add directive */
+    if (sc->proxy_enabled) {
         ssl_init_proxy_ctx(s, p, ptemp, sc);
     }
 }
-- 
2.40.0