Andreas Kimpfler wrote:
Hi all,
we are about to extend the Apache Module "mod_vhost_ldap".
I built my own mod_vhost_ldap extension. Reasoning is at the bottom.
This module is able to manage vhosts directly from ldap.
Our goal is to completely manage vhost configuration over ldap
including parameters from external modules like mod_dav, php and so
on.
[snip]
- The first problem we discovered is how to handle multiple vhosts with
different IPs and Ports (e.g. to use https in a vhost). Normally these
two parameters are written in an apache config when entering a new
vhost like this example:
<VirtualHost 123.123.123.132:80>
Pertaining to the <VirtualHost [address[:port]]> tags, those are not
fields in the server_rec structure, AFAIK. I wouldn't worry about it.
The module should be able to pick up any address, and serve the host. If
you need to ensure that the request is hitting the correct IP address,
check the sockets local side and compare it with something in LDAP.
But where are these parameters read ? We found something about doing a
dns lookup when initializing a new vhost but we did not found the code
where these 2 parameters are read out of a config file.
We also analysed the source code of apache2 and found the functions we
need to realize e.g. a <Directory>-Directive. But we don't know how we
can implement something like this in a module. Retrieving from ldap is
not the real problem but how to tell apache that now a
<Directory>-Directive in a specific vhost is following.
Is there a chance to get something like this working using the apache
module API ? We thought about just call a given function in apache2
itself and return the needed values for vhost configuration.
No per-directory stuff was included in mine, so I cannot assist with that.
The next question is how to handover parameters like "SSLEngine On"
from our module mod_vhost_ldap into mod_ssl also used by apache ?
Is it mod_vhost_ldap -> apache2 or mod_vhost_ldap -> mod_ssl and how
is this handled by apache ?
Pertaining to the "SSLEngine on" and "SSLCertificateKeyFile" type of
directives - this MUST be loaded prior to Apache receiving a request.
This is primarily because Apache needs to have those ports in a listen
state (with the associated SSL handshaking set up) BEFORE it can process
those requests. That means the SSL side HAS to be configured in the
configuration files (rather than LDAP) - unless (this could get ugly)
your module has a directive similar to the Include directive that scans
the entire LDAP directory for virtual hosts that need it. And if a host
is reconfigured (Certificate changed, or the host was added with SSL),
Apache would have to be restarted because it's not processing requests
any more, and that may as well have the stuff placed in a configuration
file.
I know that in Apache 2.2, it has the capability of starting TLS after a
connection is made, but I don't know of any browsers that implement that
process yet, so at this point it is rather dross.
So far we already designed the scheme for ldap implementing most of
the features we want to use in the apache module. If you are
interested in this we can mail it to you.
Also if you are interested to take part - every helping hand is welcome :)
At the beginning we didn't thought this would become a large thing but
after some reading we got disabused :)
Greets
Andreas and Max
Just to rant a bit, one thing I found with a virtual host sourced in
LDAP is that if someone typed in "www.sharktooth.org" or
"sharktooth.org", there had to be TWO entries in LDAP (one for each host
name). This to me was rather unacceptable. So, I rebuilt my own from the
ground up that checks for the existence of a
"dc=mycompany,dc=org,dc=sharktooth,dc=www" and slowly worked it's way to
the top of the directory - stopping at the closest match (e.g.
"dc=mycompany,dc=org,dc=sharktooth"). That way, as long as the DNS
resolves to an appropriate address, my LDAP will find the closest match
to the host and use it. That gave me the ability to set up some global
catch-all's for hosted sites that I didn't know about and have those
redirect to more appropriate messages (e.g. "dc=mycompany,dc=com").
Just something to think about. (Mine also set headers used in wrapping
the sites with a template, just because I am super-lazy). I hope the
rant will be beneficial to you.
Joe
--
Joseph Lewis <http://sharktooth.org/>
"Divide the fire, and you will sooner put it out." - Publius Syrus
