Hi,
please take a loot at this.
This patch enables apache2-peruser to use several ssl enabled Name
based Virualhosts on a single pair of ip and port.
All virtualhosts need to use same ServerEnvironment as the default
(first) virtualhost on this port because we don't know the requested
host yet (because it's encrypted) and we don't want to decrypt it in a
MULTIPLEXER. Of course all the vhosts have to use the same
certificates.
It can be useful if we have a wildcard certificate.
It requires mod_ssl compiled in because it uses ssl_module struct.
I tested it on 2 my machines and it seems to work, but your mileage may vary.
I'm no apache programmer so probably I missed a more elegant way of
getting info about ssl and not requiring mod_ssl to compile.
With this patch bellow config works as expected, without the patch
apaches workers get plain "GET /" requests for a ssl enabled host and
produces errors.
Listen 127.0.0.1:443
NameVirtualhost 127.0.0.1:443
<VirtualHost 127.0.0.1:443>
ServerEnvironment lazy lazy
ServerName localhost
SslEngine on
SSLCertificateFile /usr/local/apache2_debug/conf/ssl-cert-snakeoil.pem
SSLCertificateKeyFile /usr/local/apache2_debug/conf/ssl-cert-snakeoil.key
DocumentRoot /usr/local/apache2_debug/3
</VirtualHost>
<VirtualHost 127.0.0.1:443>
ServerEnvironment lazy lazy
ServerName test.localhost
SslEngine on
SSLCertificateFile /usr/local/apache2_debug/conf/ssl-cert-snakeoil.pem
SSLCertificateKeyFile /usr/local/apache2_debug/conf/ssl-cert-snakeoil.key
DocumentRoot /usr/local/apache2_debug/4
</VirtualHost>
--
Michał Grzędzicki
--- httpd-2.0.61/server/mpm/experimental/peruser/peruser.c 2007-12-12 14:31:44.401267148 +0100
+++ httpd-2.0.61/server/mpm/experimental/peruser/peruser.c 2007-12-12 14:32:26.011867649 +0100
@@ -132,6 +132,35 @@
#include <sys/times.h>
+//enable my dirty ssl vhost hack Michal Grzedzicki <[EMAIL PROTECTED]>
+#define SSL_VIRTUALHOST_HACK
+
+#ifdef SSL_VIRTUALHOST_HACK
+
+//taken form mod_ssl.h
+//we only use enabled so other pointers are casted to void
+typedef struct {
+ void *mc;
+ unsigned int enabled;
+ unsigned int proxy_enabled;
+ const char *vhost_id;
+ int vhost_id_len;
+ int session_cache_timeout;
+ void *server;
+ void *proxy;
+} SSLSrvConfigRec;
+
+
+//not not sure if this is the right way to do it
+//without ssl it will not work
+
+extern module AP_MODULE_DECLARE_DATA ssl_module;
+
+static SSLSrvConfigRec *ssl_config;
+
+#endif
+
+
#ifdef MPM_PERUSER_DEBUG
# define _DBG(text,par...) \
ap_log_error(APLOG_MARK, APLOG_WARNING, 0, NULL, \
@@ -966,7 +995,21 @@
current_conn->vhost_lookup_data ? "on" : "off");
}
- if (current_conn && !current_conn->vhost_lookup_data && CHILD_INFO_TABLE[my_child_num].type == CHILD_TYPE_MULTIPLEXER) {
+#ifdef SSL_VIRTUALHOST_HACK
+
+ //check for ssl configuration for this server
+ ssl_config = (SSLSrvConfigRec *)ap_get_module_config(current_conn->base_server->module_config, &ssl_module);
+
+ //pass socket if there is no NameVirtualhost or ssl is enabled on this server
+ if (current_conn && (!current_conn->vhost_lookup_data || ssl_config?ssl_config->enabled:0 ) && \
+ CHILD_INFO_TABLE[my_child_num].type == CHILD_TYPE_MULTIPLEXER) {
+
+#else SSL_VIRTUALHOST_HACK
+
+ if (current_conn && !current_conn->vhost_lookup_data && CHILD_INFO_TABLE[my_child_num].type == \
+ CHILD_TYPE_MULTIPLEXER) {
+
+#endif
_DBG("We are not using name based vhosts, we'll directly pass the socket.");
sconf = PERUSER_SERVER_CONF(current_conn->base_server->module_config);
_______________________________________________
Peruser mailing list
Peruser@telana.com
http://www.telana.com/mailman/listinfo/peruser
