From 975f5e109532cf254907e090525666e777a292b5 Mon Sep 17 00:00:00 2001 From: Yann Ylavic Date: Fri, 17 May 2019 08:42:17 +0000 Subject: [PATCH] Follow up to r1859371: extend to other ap_proxy_connection_create[_ex]() users. This function now now handles SSL reuse as well as the "proxy-request-hostname" note (SNI), so let's also call it unconditionnaly in all proxy modules. On the mod_ssl side, since this note has the lifetime of the connection, don't reset/unset it during handshake (ssl_io_filter_handshake). git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1859422 13f79535-47bb-0310-9956-ffa450edef68 --- modules/http2/mod_proxy_http2.c | 42 ++++++++++++------------------ modules/proxy/mod_proxy_ftp.c | 10 +++---- modules/proxy/mod_proxy_hcheck.c | 6 ++--- modules/proxy/mod_proxy_uwsgi.c | 10 +++---- modules/proxy/mod_proxy_wstunnel.c | 8 +++--- modules/proxy/proxy_util.c | 3 +++ modules/ssl/ssl_engine_io.c | 2 -- 7 files changed, 32 insertions(+), 49 deletions(-) diff --git a/modules/http2/mod_proxy_http2.c b/modules/http2/mod_proxy_http2.c index ca5c5d95ba..2208707990 100644 --- a/modules/http2/mod_proxy_http2.c +++ b/modules/http2/mod_proxy_http2.c @@ -387,32 +387,22 @@ run_connect: } /* Step Three: Create conn_rec for the socket we have open now. */ - if (!ctx->p_conn->connection) { - status = ap_proxy_connection_create_ex(ctx->proxy_func, ctx->p_conn, ctx->r); - if (status != OK) { - ap_log_cerror(APLOG_MARK, APLOG_DEBUG, status, ctx->owner, APLOGNO(03353) - "setup new connection: is_ssl=%d %s %s %s", - ctx->p_conn->is_ssl, ctx->p_conn->ssl_hostname, - locurl, ctx->p_conn->hostname); - ctx->r_status = status; - goto cleanup; - } - - if (!ctx->p_conn->data && ctx->is_ssl) { - /* New SSL connection: set a note on the connection about what - * protocol we want. - */ - apr_table_setn(ctx->p_conn->connection->notes, - "proxy-request-alpn-protos", "h2"); - if (ctx->p_conn->ssl_hostname) { - ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, ctx->owner, - "set SNI to %s for (%s)", - ctx->p_conn->ssl_hostname, - ctx->p_conn->hostname); - apr_table_setn(ctx->p_conn->connection->notes, - "proxy-request-hostname", ctx->p_conn->ssl_hostname); - } - } + status = ap_proxy_connection_create_ex(ctx->proxy_func, ctx->p_conn, ctx->r); + if (status != OK) { + ap_log_cerror(APLOG_MARK, APLOG_DEBUG, status, ctx->owner, APLOGNO(03353) + "setup new connection: is_ssl=%d %s %s %s", + ctx->p_conn->is_ssl, ctx->p_conn->ssl_hostname, + locurl, ctx->p_conn->hostname); + ctx->r_status = status; + goto cleanup; + } + + if (!ctx->p_conn->data && ctx->is_ssl) { + /* New SSL connection: set a note on the connection about what + * protocol we want. + */ + apr_table_setn(ctx->p_conn->connection->notes, + "proxy-request-alpn-protos", "h2"); } if (ctx->master->aborted) goto cleanup; diff --git a/modules/proxy/mod_proxy_ftp.c b/modules/proxy/mod_proxy_ftp.c index 9cb7f8bc5d..c982dc552f 100644 --- a/modules/proxy/mod_proxy_ftp.c +++ b/modules/proxy/mod_proxy_ftp.c @@ -1196,12 +1196,10 @@ static int proxy_ftp_handler(request_rec *r, proxy_worker *worker, return HTTP_SERVICE_UNAVAILABLE; } - if (!backend->connection) { - status = ap_proxy_connection_create_ex("FTP", backend, r); - if (status != OK) { - proxy_ftp_cleanup(r, backend); - return status; - } + status = ap_proxy_connection_create_ex("FTP", backend, r); + if (status != OK) { + proxy_ftp_cleanup(r, backend); + return status; } /* Use old naming */ diff --git a/modules/proxy/mod_proxy_hcheck.c b/modules/proxy/mod_proxy_hcheck.c index 73c6b96b1e..689cd01f2a 100644 --- a/modules/proxy/mod_proxy_hcheck.c +++ b/modules/proxy/mod_proxy_hcheck.c @@ -766,10 +766,8 @@ static apr_status_t hc_check_http(baton_t *baton) } r = create_request_rec(ptemp, ctx->s, baton->balancer, wctx->method); - if (!backend->connection) { - if ((status = ap_proxy_connection_create_ex("HCOH", backend, r)) != OK) { - return backend_cleanup("HCOH", backend, ctx->s, status); - } + if ((status = ap_proxy_connection_create_ex("HCOH", backend, r)) != OK) { + return backend_cleanup("HCOH", backend, ctx->s, status); } set_request_connection(r, backend->connection); diff --git a/modules/proxy/mod_proxy_uwsgi.c b/modules/proxy/mod_proxy_uwsgi.c index 6f33e196d7..bce4fc21b8 100644 --- a/modules/proxy/mod_proxy_uwsgi.c +++ b/modules/proxy/mod_proxy_uwsgi.c @@ -509,12 +509,10 @@ static int uwsgi_handler(request_rec *r, proxy_worker * worker, } /* Step Three: Create conn_rec */ - if (!backend->connection) { - if ((status = ap_proxy_connection_create(UWSGI_SCHEME, backend, - r->connection, - r->server)) != OK) - goto cleanup; - } + if ((status = ap_proxy_connection_create(UWSGI_SCHEME, backend, + r->connection, + r->server)) != OK) + goto cleanup; /* Step Four: Process the Request */ if (((status = ap_setup_client_block(r, REQUEST_CHUNKED_ERROR)) != OK) diff --git a/modules/proxy/mod_proxy_wstunnel.c b/modules/proxy/mod_proxy_wstunnel.c index b03778a92e..6c46bac179 100644 --- a/modules/proxy/mod_proxy_wstunnel.c +++ b/modules/proxy/mod_proxy_wstunnel.c @@ -523,11 +523,9 @@ static int proxy_wstunnel_handler(request_rec *r, proxy_worker *worker, } /* Step Three: Create conn_rec */ - if (!backend->connection) { - status = ap_proxy_connection_create_ex(scheme, backend, r); - if (status != OK) { - goto cleanup; - } + status = ap_proxy_connection_create_ex(scheme, backend, r); + if (status != OK) { + goto cleanup; } /* Step Four: Process the Request */ diff --git a/modules/proxy/proxy_util.c b/modules/proxy/proxy_util.c index 315fcca17b..460342bc77 100644 --- a/modules/proxy/proxy_util.c +++ b/modules/proxy/proxy_util.c @@ -3293,6 +3293,9 @@ static int proxy_connection_create(const char *proxy_function, /* Set a note on the connection about what CN is requested, * such that mod_ssl can check if it is requested to do so. */ + ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, conn->connection, + "%s: set SNI to %s for (%s)", proxy_function, + conn->ssl_hostname, conn->hostname); apr_table_setn(conn->connection->notes, "proxy-request-hostname", conn->ssl_hostname); } diff --git a/modules/ssl/ssl_engine_io.c b/modules/ssl/ssl_engine_io.c index 210eaeef6f..f6c64b4503 100644 --- a/modules/ssl/ssl_engine_io.c +++ b/modules/ssl/ssl_engine_io.c @@ -1338,7 +1338,6 @@ static apr_status_t ssl_io_filter_handshake(ssl_filter_ctx_t *filter_ctx) ((dc->proxy->ssl_check_peer_cn != FALSE) || (dc->proxy->ssl_check_peer_name == TRUE)) && hostname_note) { - apr_table_unset(c->notes, "proxy-request-hostname"); if (!cert || modssl_X509_match_name(c->pool, cert, hostname_note, TRUE, server) == FALSE) { @@ -1355,7 +1354,6 @@ static apr_status_t ssl_io_filter_handshake(ssl_filter_ctx_t *filter_ctx) hostname = ssl_var_lookup(NULL, server, c, NULL, "SSL_CLIENT_S_DN_CN"); - apr_table_unset(c->notes, "proxy-request-hostname"); /* Do string match or simplest wildcard match if that * fails. */ -- 2.40.0