while setting up Apache as an ssl tunnel to some backend servers, I've noticed that for each new outgoing connection a reverse lookup is performed.
For serveral reasons I had to prevent this from happening (in short I don't wan't to bother the dns server too much), therefore I've written the attached patch to solve my problem.
A new boolean configuration directive named 'ReverseLookups' is added. It defaults to 'On'. This means that as default it behaves as usual.
The proposed solution lacks maybe a bit of flexibility but it seems to work.
Would adding a third optional parameter to the ProxyPass directive make more sense?
Any idea/suggestion for a better solution?
Both the issue and the solution have been tested on a linux 2.4 system running apache 1.3.26 and 1.3.27.
Relevant configuration options:
HostnameLookups Off
Listen 192.168.1.1:443
<VirtualHost 192.168.1.1:443>
ServerName some.host.com
SSLEngine On
SSLCertificateFile /opt/apache/conf/ssl.crt/my.crt
SSLCertificateKeyFile /opt/apache/conf/ssl.key/my.key
ProxyPass / http://192.168.2.1:80/
ProxyPassReverse / http://192.168.2.1:80/
</VirtualHost>
Best regards.
--
Federico Mennite
diff -urN apache_1.3.27/src/modules/proxy/mod_proxy.c
apache_1.3.27.ite/src/modules/proxy/mod_proxy.c
--- apache_1.3.27/src/modules/proxy/mod_proxy.c 2002-06-18 02:59:59.000000000 +0200
+++ apache_1.3.27.ite/src/modules/proxy/mod_proxy.c 2003-02-13 23:33:45.000000000
++0100
@@ -434,6 +434,8 @@
ps->domain = NULL;
ps->viaopt = via_off; /* initially backward compatible with 1.3.1 */
ps->viaopt_set = 0; /* 0 means default */
+ ps->reverse_lookups = 1;
+ ps->reverse_lookups_set = 0;
ps->req = 0;
ps->req_set = 0;
ps->recv_buffer_size = 0; /* this default was left unset for some
@@ -482,6 +484,7 @@
ps->domain = (overrides->domain == NULL) ? base->domain : overrides->domain;
ps->viaopt = (overrides->viaopt_set == 0) ? base->viaopt : overrides->viaopt;
+ ps->reverse_lookups = (overrides->reverse_lookups_set == 0) ?
+base->reverse_lookups : overrides->reverse_lookups;
ps->req = (overrides->req_set == 0) ? base->req : overrides->req;
ps->recv_buffer_size = (overrides->recv_buffer_size_set == 0) ?
base->recv_buffer_size : overrides->recv_buffer_size;
ps->io_buffer_size = (overrides->io_buffer_size_set == 0) ? base->io_buffer_size
: overrides->io_buffer_size;
@@ -920,6 +923,17 @@
return NULL;
}
+static const char *
+ set_reverse_lookups(cmd_parms *parms, void *dummy, int flag)
+{
+ proxy_server_conf *psf =
+ ap_get_module_config(parms->server->module_config, &proxy_module);
+
+ psf->reverse_lookups = flag;
+ psf->reverse_lookups_set = 1;
+ return NULL;
+}
+
static const handler_rec proxy_handlers[] =
{
{"proxy-server", proxy_handler},
@@ -970,6 +984,8 @@
"Force a http cache completion after this percentage is loaded"},
{"ProxyVia", set_via_opt, NULL, RSRC_CONF, TAKE1,
"Configure Via: proxy header header to one of: on | off | block | full"},
+ {"ReverseLookups", set_reverse_lookups, NULL, RSRC_CONF, FLAG,
+ "On if reverse lookups for remote connections are needed"},
{NULL}
};
diff -urN apache_1.3.27/src/modules/proxy/mod_proxy.h
apache_1.3.27.ite/src/modules/proxy/mod_proxy.h
--- apache_1.3.27/src/modules/proxy/mod_proxy.h 2002-04-21 13:35:07.000000000 +0200
+++ apache_1.3.27.ite/src/modules/proxy/mod_proxy.h 2003-02-13 23:26:17.000000000
++0100
@@ -203,6 +203,8 @@
char recv_buffer_size_set;
size_t io_buffer_size;
char io_buffer_size_set;
+ int reverse_lookups;
+ char reverse_lookups_set;
} proxy_server_conf;
struct hdr_entry {
@@ -306,6 +308,7 @@
cache_req *ap_proxy_cache_error(cache_req *r);
int ap_proxyerror(request_rec *r, int statuscode, const char *message);
const char *ap_proxy_host2addr(const char *host, struct hostent *reqhp);
+const char *ap_proxy_host2addr_ext(const char *host, struct hostent *reqhp, int
+reverse);
int ap_proxy_is_ipaddr(struct dirconn_entry *This, pool *p);
int ap_proxy_is_domainname(struct dirconn_entry *This, pool *p);
int ap_proxy_is_hostname(struct dirconn_entry *This, pool *p);
diff -urN apache_1.3.27/src/modules/proxy/proxy_http.c
apache_1.3.27.ite/src/modules/proxy/proxy_http.c
--- apache_1.3.27/src/modules/proxy/proxy_http.c 2002-09-03 09:12:46.000000000
+0200
+++ apache_1.3.27.ite/src/modules/proxy/proxy_http.c 2003-02-13 23:13:18.000000000
++0100
@@ -225,13 +225,13 @@
if (proxyhost != NULL) {
server.sin_port = htons((unsigned short)proxyport);
- err = ap_proxy_host2addr(proxyhost, &server_hp);
+ err = ap_proxy_host2addr_ext(proxyhost, &server_hp, conf->reverse_lookups);
if (err != NULL)
return DECLINED; /* try another */
}
else {
server.sin_port = htons((unsigned short)destport);
- err = ap_proxy_host2addr(desthost, &server_hp);
+ err = ap_proxy_host2addr_ext(desthost, &server_hp, conf->reverse_lookups);
if (err != NULL)
return ap_proxyerror(r, HTTP_INTERNAL_SERVER_ERROR, err);
}
diff -urN apache_1.3.27/src/modules/proxy/proxy_util.c
apache_1.3.27.ite/src/modules/proxy/proxy_util.c
--- apache_1.3.27/src/modules/proxy/proxy_util.c 2002-07-22 18:26:03.000000000
+0200
+++ apache_1.3.27.ite/src/modules/proxy/proxy_util.c 2003-02-13 23:22:31.000000000
++0100
@@ -974,14 +974,20 @@
return statuscode;
}
+const char *
+ ap_proxy_host2addr(const char *host, struct hostent * reqhp) {
+
+ return ap_proxy_host2addr_ext(host, reqhp, 1);
+}
+
/*
* This routine returns its own error message
*/
const char *
- ap_proxy_host2addr(const char *host, struct hostent * reqhp)
+ ap_proxy_host2addr_ext(const char *host, struct hostent * reqhp, int reverse)
{
int i;
- struct hostent *hp;
+ struct hostent *hp = NULL;
struct per_thread_data *ptd = get_per_thread_data();
for (i = 0; host[i] != '\0'; i++)
@@ -995,7 +1001,8 @@
}
else {
ptd->ipaddr = ap_inet_addr(host);
- hp = gethostbyaddr((char *)&ptd->ipaddr, sizeof(ptd->ipaddr), AF_INET);
+ if (reverse)
+ hp = gethostbyaddr((char *)&ptd->ipaddr, sizeof(ptd->ipaddr), AF_INET);
if (hp == NULL) {
memset(&ptd->hpbuf, 0, sizeof(ptd->hpbuf));
ptd->hpbuf.h_name = 0;
