The create_connection hook has a fatal design flaw. create_conn is run before ap_update_vhost_given_ip(), which means that it is impossible to install input and output filters based on vhost info.
I want to install SSL_IN and SSL_OUT filters if the request is coming in to a vhost/port enabled for SSL and that can't be done with the create_connection hook. Bill > > One Nov. 12, Ryan committed a patch creating the create_conn hook. The > > idea was to move > > the client_socket out of the conn_rec presumably to make available > only to > > the core_in and > > core_out filters. However, I just found a backdoor... > > > > In core_create_conn() the socket is saved away thusly: > > ap_set_module_config(net->c->conn_config, &core_module, csd); > > > > And whoever needs to access the socket does this: > > apr_socket_t *csd = ap_get_module_config(f->c->conn_config, > &core_module); > > That hack was added because the proxy does the completely wrong thing > with regard to handing sockets. In order to finish the Nov. 12 patch, I > need to rip a lot of logic out of the proxy and re-implement, which I > haven't had time to do recently. The only other module that should use > the get_module_config hack is the perchild module, which is also doing > to completely wrong thing with regard to sockets, but I haven't had time > to fix that one either. > > > > So the goal of hiding the socket is completely blown. The Nov. 11 > change > > added a lot of > > complexity to the server (hard to read/understand code) in pursuit of > a > > goal that is then > > immediately circumvented by the ap_get|set_module_config. So we made > the > > server more > > complex for no reason. > > It actually isn't blown. Try writing a module that implements a non TCP > socket, and it will work as long as you don't use the proxy or the > perchild module. As proof, look at the fact that the Unix MPMs have > been using that mechanism to handle the pipe_of_death. This allowed me > to remove the ugly hacks at the beginning of the accept loop, which > checked for the POD. > > Also, a big portion of the Nov 12 patch was to consolidate the accept > functions for Unix and BeOS, which has meant far less duplicated code in > the server. > > > I am on the verge of vetoing the Nov. 12 patch in favor of moving the > > client_socket back > > into the con_rec. > > > > Comments? > > Please don't let two mis-behaved modules color your judgment on this. > Both proxy and perchild must be re-written if they are going to be > clean, and once that is done the stupid set_module_config can be > removed. In fact, the server ran for over a day without the > set_module_config, but that broke the proxy, so I added the hack to > allow the proxy to continue to work, while I worked to solve the > underlying problem. Unfortunately, work and some extracurricular > activities have stopped me from contributing much code recently. > Hopefully, I will have time to code again soon. > > Ryan > >
